A recent cyber espionage campaign exploited a zero-day vulnerability in Output Messenger, a self-hosted enterprise chat application, targeted predominantly Kurdish military users in Iraq. The attack was linked to the Türkiye-based threat actor Marbled Dust, highlighting risks in obscure enterprise tools.
Affected: Output Messenger systems, organizations using Output Messenger
Affected: Output Messenger systems, organizations using Output Messenger
Keypoints
- Marbled Dust, a threat group associated with Türkiye, exploited CVE-2025-27920, a directory traversal vulnerability in Output Messenger.
- The campaign, ongoing since April 2024, targeted Kurdish military-linked users in Iraq, signaling regional espionage activity.
- The attackers gained initial access via credential harvesting methods such as DNS hijacking and typo-squatting on login portals.
- They deployed backdoors using malicious VBS and GoLang-based services to establish stealthy persistent access and exfiltrate data.
- Despite patches being available from the vendor, many organizations remain unpatched, increasing vulnerability risks.
- The campaign demonstrates how low-profile enterprise tools can serve as valuable targets for focused espionage operations.
- Organizations are advised to patch their systems, monitor network activity, and audit for signs of compromise related to Output Messenger.
Read More: https://thecyberexpress.com/marbled-dust-exploit-output-messenger-zero-day/