News
Espionage Group Exploits Zero-Day in Output Messenger Targeting Kurdish Forces
A new report by the Microsoft Threat Intelligence team has provided details on an espionage group based out of Turkey that has been exploiting a zero-day flaw in Output Messenger to target military personnel in Iraq.
The group, known as Marbled Dust, has been active with its current campaign since April 2024, targeting users who failed to patch a critical flaw in Output Messenger (CVE-2025-27920). The vulnerability allows attackers to exfiltrate sensitive data and deploy malicious files on compromised systems. Microsoft said it has investigated and confirmed that victims include those affiliated with Kurdish military forces -- aligning with Marbled Dust's previous targeting patterns in the Middle East and Europe.
In previous campaigns, Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internet-facing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers," read the report. "They were also observed using access to compromised DNS registries and/or registrars to reset the DNS server configuration of government organizations in various countries to intercept traffic, enabling them to log and reuse stolen credentials."
The exploited flaw targeted in the latest wave of attacks is a directory traversal vulnerability in the server-side component of Output Messenger. It enabled authenticated users to upload malicious files into the system's startup directory, giving attackers continuous access. Microsoft researchers observed Marbled Dust leveraging this flaw to deploy a Go-based backdoor, which allowed the group to intercept communications, impersonate users and steal data from within targeted networks.
Microsoft disclosed the vulnerability to Srimax, the developer of Output Messenger, which has since issued patches for both the initial flaw and a second, unexploited vulnerability (CVE-2025-27921). Users are urged to update to version 2.0.63 (Windows) or 2.0.62 (Server) to mitigate risk.
In its campaign, Marbled Dust used files named OMServerService.vbs and OMServerService.exe -- the latter being a disguised GoLang backdoor -- to gain access and maintain persistence. The attacker's command-and-control infrastructure includes the domain api.wordinfos[.]com, which has been tied to data exfiltration efforts.
Microsoft's report outlines a full attack chain beginning with credential theft, possibly via DNS hijacking, followed by the exploitation of Output Messenger's server application and deployment of multiple backdoors. Some infections were observed connecting to attacker infrastructure via Plink, a command-line SSH tool, to transfer stolen data.
The company also provided mitigation steps, including enabling cloud-delivered protection in Microsoft Defender Antivirus, deploying phishing-resistant authentication via Entra ID and using Microsoft Defender Vulnerability Management. Microsoft Defender XDR customers are advised to enable Endpoint Detection and Response (EDR) in block mode and to use advanced hunting queries to detect known file hashes and network indicators tied to the campaign.
Microsoft credited Srimax for their cooperation and emphasized that organizations should immediately apply the latest patches to defend against this threat.