A threat group affiliated with Turkey exploited a zero-day vulnerability in Output Messenger for cyber espionage activities targeting Iraqi Kurdish military personnel. The attack involved sophisticated malware deployment and data exfiltration techniques, indicating increased operational complexity.
Affected: Output Messenger, Iraqi Kurdish military systems, Middle Eastern organizations
Affected: Output Messenger, Iraqi Kurdish military systems, Middle Eastern organizations
Keypoints
- A Turkish-affiliated threat actor exploited a zero-day vulnerability (CVE-2025-27920) in Output Messenger to conduct espionage campaigns since April 2024.
- The attack targeted users associated with Iraqi Kurdish military entities, collecting sensitive user data.
- The threat group, known as Marbled Dust, has been active since at least 2017 and is known for targeting Middle East and North Africa organizations.
- The exploitation involved gaining access through credential interception methods like DNS hijacking or typosquatting to deploy malware payloads.
- The malware drops include scripts and backdoors (OM.vbs, OMServerService.vbs, OMServerService.exe, and OMClientService.exe) that connect to a C2 domain for data exfiltration.
- Microsoft observed a second vulnerability (CVE-2025-27921), a reflected XSS flaw, although no active exploitation was detected.
- The attack demonstrates an escalation in Marbled Dust’s technical capabilities and operational urgency, signaling increased sophistication.
Read More: https://thehackernews.com/2025/05/turkiye-hackers-exploited-output.html