A Turkish-affiliated threat actor known as “Marbled Dust” is exploiting a zero-day vulnerability in Output Messenger to conduct cyber espionage against targets in Europe and the Middle East, focusing on Kurdish military personnel and organizations opposing the Turkish government. This campaign demonstrates an escalation in the group’s technical capabilities and operational severity.
Affected: Output Messenger users, organizations in Europe and the Middle East.
Affected: Output Messenger users, organizations in Europe and the Middle East.
Keypoints
- “Marbled Dust,” a threat group linked to Turkey, is exploiting a zero-day in Output Messenger since April 2024.
- The attack targets entities in Europe and the Middle East, especially Kurdish military personnel and opposing organizations.
- The exploit involves a directory traversal vulnerability (CVE-2025-27920) and DNS hijacking techniques for initial access.
- Attackers upload malicious files, including GoLang backdoors, to steal data and impersonate users.
- Microsoft informed Srimax, developer of Output Messenger, who subsequently released updates (version 2.0.63) to patch the vulnerabilities.
- There is no evidence that the second discovered XSS vulnerability (CVE-2025-27921) has been exploited.
- Security experts recommend immediate software updates and enhanced security measures for affected users.
Read More: https://dailydarkweb.net/turkish-cyber-espionage-campaign-leverages-zero-day-in-output-messenger/