Since April 2024, the Marbled Dust threat actor has exploited a zero-day vulnerability (CVE-2025-27920) in the Output Messenger application to deliver malicious files and exfiltrate data from targets in Iraq, primarily associated with the Kurdish military. Microsoft Threat Intelligence recommends updating Output Messenger and provides detailed detection and mitigation guidance to combat this advanced espionage campaign. #MarbledDust #OutputMessenger
Keypoints
- Marbled Dust, a Türkiye-affiliated espionage group, exploited a zero-day directory traversal vulnerability (CVE-2025-27920) in Output Messenger to upload malicious scripts into the server’s startup directory.
- This campaign targeted organizations in Iraq, particularly those linked to the Kurdish military, resulting in unauthorized data collection and credential compromise.
- The vulnerability allowed authenticated users to replace files on the server and deploy GoLang-based backdoors disguised as legitimate files for data exfiltration and command-and-control communication.
- Microsoft notified Output Messenger’s developer Srimax, which promptly released patches for this zero-day and another vulnerability (CVE-2025-27921), although no exploitation of the latter was observed.
- Marbled Dust uses DNS hijacking, typo-squatted domains, and credential reuse to gain initial authentication before exploiting the vulnerability.
- Microsoft provides detailed mitigation recommendations including updating Output Messenger, enabling Defender protections, using anomaly detection, and applying conditional access policies.
- Microsoft Defender XDR offers hunting queries, detection alerts, and incident response playbooks to help detect and respond to Marbled Dust activity.
MITRE Techniques
- [T1210] Exploitation of Remote Services – Marbled Dust exploited a zero-day directory traversal vulnerability in Output Messenger Server Manager to upload malicious files to the startup directory. (“…marbled dust uses the Output Messenger zero-day exploit… to drop malicious files…”)
- [T1078] Valid Accounts – The threat actor leveraged stolen or intercepted credentials to authenticate as a valid user before exploiting the vulnerability. (“…leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials…”)
- [T1505] Server Software Component – The group implanted malicious scripts such as OMServerService.vbs to maintain persistence on compromised servers. (“…drops the malicious files OM.vbs and OMServerService.vbs to the Output Messenger server startup folder…”)
- [T1041] Exfiltration Over C2 Channel – Marbled Dust backdoors communicated with a hardcoded domain (api.wordinfos[.]com) to exfiltrate data. (“…OMServerService.exe is observed connecting to a hardcoded domain… for data exfiltration.”)
- [T1105] Ingress Tool Transfer – The attacker delivered multiple malicious files including GoLang backdoors to compromised systems. (“…deliver multiple malicious files and exfiltrate data from targets.”)
- [T1027] Obfuscated Files or Information – Use of GoLang backdoors to evade OS version detection and disguise malicious activity. (“…OMServerService.exe, a GoLang backdoor masquerading as the legitimate file…”)
Indicators of Compromise
- [Domain] Malicious command-and-control domain – api.wordinfos[.]com is used by Marbled Dust for data exfiltration and C2 communication.
- [File Names] Malicious scripts and executables – OMServerService.vbs (startup folder), OM.vbs, OMServerService.exe (public videos directory) used to maintain persistence and establish backdoors.
- [File Hashes] Known malicious VBS script hashes – 1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39, 2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63.
- [IP Address] Suspected exfiltration IP addresses attributed to Marbled Dust observed in victim connections (exact IPs not disclosed in article).
Views: 38