A Türkiye-affiliated advanced persistent threat (APT) group, dubbed Marbled Dust, has been linked to the active exploitation of a zero-day vulnerability in Output Messenger, an enterprise communication platform developed by Srimax. The campaign, which began in April 2024, specifically targets systems associated with Kurdish military and government organizations in Iraq.
The vulnerability, tracked as CVE-2025-27920, is a directory traversal flaw in Output Messenger version 2.0.62. It allows authenticated attackers to upload and execute arbitrary files, effectively taking full control of affected systems. Although the vendor patched this issue in version 2.0.63, the original advisory did not disclose any known in-the-wild exploitation—until now.
Attack Chain and Infection Vector
According to researchers from the Microsoft Threat Intelligence team, the attack began with Marbled Dust gaining access to the Output Messenger Server Manager. The attackers may have obtained credentials through DNS hijacking, typosquatted domains, or phishing techniques to deceive administrators into logging into spoofed servers.
Once access was established, the threat actors uploaded malicious scripts and a Golang-based backdoor disguised as a service named OMServerService.exe. This backdoor connected to a hard-coded command-and-control (C2) domain, enabling the attackers to exfiltrate sensitive data and maintain persistence on the compromised systems.
Client-Side Payload and Persistence
On the client side, the threat actors deployed a trojanized installer that executed both the legitimate OutputMessenger.exe and a second Golang-based payload called OMClientService.exe. This secondary component:
- Connected to the attacker-controlled C2 server.
- Conducted system reconnaissance and connectivity checks.
- Executed attacker-supplied commands remotely.
This dual-stage infection allowed attackers to blend in with regular traffic while maintaining remote access to client machines.
Additional XSS Vulnerability Discovered
In parallel, Microsoft also identified another vulnerability, CVE-2025-27921, affecting the same Output Messenger version. This reflected cross-site scripting (XSS) flaw, although serious, has not been observed in active exploitation during this campaign.
Recommendations and Mitigation Steps
Organizations using Output Messenger are urged to take immediate action:
- Update to version 2.0.63 or later to patch CVE-2025-27920 and CVE-2025-27921.
- Audit login logs and server activity for unauthorized access to the Server Manager.
- Check for indicators of compromise, especially the presence of
OMServerService.exeandOMClientService.exe. - Implement DNS monitoring and filtering to detect typosquatted domains.
Conclusion
The Marbled Dust cyberespionage campaign targeting Output Messenger users in sensitive geopolitical regions highlights the growing trend of exploiting communication tools as attack vectors. As nation-state actors continue to weaponize zero-days in widely-used enterprise applications, it is essential for organizations to enforce strict update policies and enhance endpoint visibility.