Marbled Dust Leverages Zero-Day in Output Messenger for Regional Espionage
Summary:
Microsoft Threat Intelligence identified a campaign by the Türkiye-linked espionage group Marbled Dust exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger chat platform. This vulnerability, found in the Output Messenger Server Manager application, allowed authenticated users to upload malicious files to the server’s startup directory via directory traversal. Marbled Dust used this exploit to deliver malicious scripts and backdoors, enabling data theft, impersonation, and surveillance across all users connected to the server. The attacks primarily targeted entities associated with the Kurdish military in Iraq, reflecting Marbled Dust’s ongoing focus on organizations that counter Turkish interests, including those in government, telecommunications, and IT sectors across Europe and the Middle East.
Microsoft reported the vulnerability to Output Messenger’s developer, Srimax, who released patches for CVE-2025-27920 and a second, unexploited flaw, CVE-2025-27921. The threat actor exploited its foothold by deploying two Visual Basic scripts and a GoLang-based backdoor named OMServerService.exe to the Output Messenger server, using its architecture to intercept communications and extract credentials.
Security Officer Comments:
Microsoft suspects that Marbled Dust obtained user authentication through DNS hijacking or typo-squatted domains, based on their past tactics. Once inside, the attackers collected user credentials, executed malicious scripts, and exfiltrated data, sometimes using plink, a PuTTY-based command-line SSH tool. The operation marks a significant escalation in Marbled Dust’s technical sophistication and underscores the need to update Output Messenger immediately to prevent further exploitation.
Suggested Corrections:
Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Strengthen operating environment configuration
https://www.microsoft.com/en-us/sec...y-in-output-messenger-for-regional-espionage/
Microsoft Threat Intelligence identified a campaign by the Türkiye-linked espionage group Marbled Dust exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger chat platform. This vulnerability, found in the Output Messenger Server Manager application, allowed authenticated users to upload malicious files to the server’s startup directory via directory traversal. Marbled Dust used this exploit to deliver malicious scripts and backdoors, enabling data theft, impersonation, and surveillance across all users connected to the server. The attacks primarily targeted entities associated with the Kurdish military in Iraq, reflecting Marbled Dust’s ongoing focus on organizations that counter Turkish interests, including those in government, telecommunications, and IT sectors across Europe and the Middle East.
Microsoft reported the vulnerability to Output Messenger’s developer, Srimax, who released patches for CVE-2025-27920 and a second, unexploited flaw, CVE-2025-27921. The threat actor exploited its foothold by deploying two Visual Basic scripts and a GoLang-based backdoor named OMServerService.exe to the Output Messenger server, using its architecture to intercept communications and extract credentials.
Security Officer Comments:
Microsoft suspects that Marbled Dust obtained user authentication through DNS hijacking or typo-squatted domains, based on their past tactics. Once inside, the attackers collected user credentials, executed malicious scripts, and exfiltrated data, sometimes using plink, a PuTTY-based command-line SSH tool. The operation marks a significant escalation in Marbled Dust’s technical sophistication and underscores the need to update Output Messenger immediately to prevent further exploitation.
Suggested Corrections:
Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Strengthen operating environment configuration
- Ensure that Output Messenger is updated to a version that is not affected by the vulnerability:
- Version 2.0.63 for Windows
- Version 2.0.62 for Server
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product.
- Create Defender for Cloud Apps anomaly detection policies.
- Use a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
- Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
- Organizations can also use Microsoft Defender External Attack Surface Management (EASM), a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
- Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
https://www.microsoft.com/en-us/sec...y-in-output-messenger-for-regional-espionage/