Microsoft Threat Intelligence links a regional cyber-espionage campaign exploiting a zero-day vulnerability in Output Messenger to the Türkiye-affiliated threat group Marbled Dust. The attack primarily targeted entities in Iraq, including Kurdish military personnel, utilizing a sophisticated malware chain for espionage activities.
Affected: Output Messenger Server, organizations in Iraq, Kurdish military.
Affected: Output Messenger Server, organizations in Iraq, Kurdish military.
Keypoints
- The campaign was first observed in April 2024 and exploited a zero-day directory traversal vulnerability in Output Messenger (CVE-2025-27920).
- Attackers dropped malicious files (“OMServerService.vbs” and “OM.vbs”) to deploy a GoLang-based backdoor (“OMServerService.exe”) connected to a command-and-control server.
- The backdoor allows threat actors to perform surveillance, steal communications, impersonate accounts, and pivot into the target organization’s infrastructure.
- A second backdoor (“OMClientService.exe”) is installed silently, enabling system fingerprinting, command execution, and data exfiltration via SSH tunnels.
- The operation is attributed to Marbled Dust, a Türkiye-linked espionage group known for targeting Middle Eastern and European government and telecom entities.
- This campaign marks an escalation in Marbled Dust’s capabilities, moving from DNS hijacking and credential theft to sophisticated zero-day exploitation.
- Microsoft has coordinated with Output Messenger’s developers to patch the vulnerabilities (CVE-2025-27920 and CVE-2025-27921) with updates available for clients and servers.