A cyber threat actor believed to align with Turkish government interests has been observed exploiting user accounts that have not applied fixes to a vulnerability (CVE-2025-27920) in Output Messenger, a multiplatform chat solution.
The campaign was detected by Microsoft Threat Intelligence and has been ongoing since at least April 2024.
The threat actor, tracked as Marbled Dust by Microsoft, is believed to be a cyber-espionage group whose interests align with Turkey.
In a May 12 report sharing its findings, Microsoft Threat Intelligence assessed “with high confidence” that the targets of the campaign are associated with the Kurdish military operating in Iraq.
From Exploited Zero-Day to Patched Vulnerability
CVE-2025-27920 is a directory traversal attack resulting from improper file path handling, identified in Output Messenger version 2.0.62 and affecting all versions before 2.0.63.
By using ../ sequences in parameters, attackers can access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
According to an advisory published in December 2024 by Srimax, the Indian-based company developing Output Messenger, the flaw was discovered by Microsoft and subsequently patched in version 2.0.63.
However, the vulnerability entry in CVE.org was reported by MITRE on May 5, 2025, and information about the vulnerability status is incomplete.
Enrichment data for this vulnerability is also missing, including the severity score (CVSS).
“Microsoft also identified a second vulnerability in Output Messenger (CVE-2025-27921) for which Srimax has also released a patch; however, Microsoft has not observed exploitation of this second vulnerability,” the Microsoft Threat Intelligence report added.
Marbled Dust’s Attack Chain
In this malicious campaign, Marbled Dust begins by gaining access to the Output Messenger Server Manager application as an authenticated user, likely through DNS hijacking or typo-squatted domains that allow the threat actor to intercept and reuse credentials.
The threat actor then leverages the compromised account to obtain the user's Output Messenger credentials and subsequently exploits the CVE-2025-27920 vulnerability.
According to the report, the threat actor started exploiting this vulnerability as far back as in April 2024, months before it was detected, reported and fixed in an Output Messenger patch update.
Marbled Dust has also continued exploiting it on unpatched instances after Srimax’s fix was released.
Exploitation of CVE-2025-27920 allows Marbled Dust to drop a series of malicious files (OM.vbs, OMServerService.vbs, and OMServerService.exe) into specific directories on the Output Messenger server.
OMServerService.vbs calls OM.vbs, passing it to OMServerService.exe, a Golang backdoor. Then, OMServerService.exe connects to a hardcoded domain (api.wordinfos[.]com) for data exfiltration.
On the client side, the malware extracts and executes OutputMessenger.exe and OMClientService.exe, another Golang backdoor. OMClientService.exe checks connectivity to the command-and-control (C2) domain (api.wordinfos[.]com), sends hostname information and executes the C2's response using "cmd /c".
The malware has been observed connecting to a Marbled Dust-attributed IP address, likely for data exfiltration, using plink (PuTTY SSH client) to collect files and create a RAR file on the desktop.
No tags.
