A Türkiye-backed cyberespionage group, Marbled Dust, exploited a zero-day vulnerability in Output Messenger to compromise users linked to the Kurdish military in Iraq. The attackers gained access to sensitive data, deployed malware, and could impersonate users, posing significant threats to targeted organizations.
Affected: Output Messenger users, Kurdish military-linked organizations, internal systems.
Affected: Output Messenger users, Kurdish military-linked organizations, internal systems.
Keypoints
- The threat group Marbled Dust exploited CVE-2025-27920, a directory traversal flaw in Output Messenger, to attack targets.
- The vulnerability allowed attackers to access sensitive files and deploy malicious payloads on servers.
- After compromising servers, the group could steal data, access communications, impersonate users, and disrupt operations.
- They used techniques such as DNS hijacking and typo-squatted domains to intercept credentials and gain initial access.
- Attackers deployed a backdoor (OMServerService.exe) on victim devices to exfiltrate data and communicate with command-and-control servers.
- The group has historically targeted telecom, IT, government organizations, and Kurdish websites in Europe and the Middle East.
- The campaign indicates increased sophistication and operational urgency, leveraging zero-day exploits and advanced attack techniques.