Attackers Leverage Unpatched Output Messenger 0‑Day to Deliver Malicious Payloads

A Türkiye-affiliated espionage threat actor, tracked by Microsoft Threat Intelligence as Marbled Dust (also known as Sea Turtle and UNC1326), has been exploiting a zero-day vulnerability in Output Messenger, a popular multiplatform chat software.

Identified as CVE-2025-27920, this directory traversal flaw in the Output Messenger Server Manager application allows authenticated attackers to upload malicious files directly into the server’s startup directory.

Microsoft researchers observed that Marbled Dust specifically targets entities in Iraq, with a high-confidence assessment linking the victims to Kurdish military operations, aligning with the actor’s historical focus on groups opposing Turkish government interests.

By exploiting this vulnerability, the threat actor has successfully delivered malicious payloads, collected sensitive user data, and exfiltrated information from compromised systems.

Microsoft also identified a second vulnerability, CVE-2025-27921, though no exploitation of this flaw has been observed to date.

Srimax, the developer of Output Messenger, has released patches for both issues, with version 2.0.63 for Windows and 2.0.62 for Server addressing the exploited flaw.

Sophisticated Attack Chain

Marbled Dust’s attack chain demonstrates a notable escalation in technical sophistication.

The group begins by gaining authenticated access to the Output Messenger Server Manager, potentially through tactics like DNS hijacking or typo-squatted domains to intercept credentials-methods consistent with their past campaigns targeting government and telecom sectors in Europe and the Middle East.

Once inside, they exploit CVE-2025-27920 to drop malicious files such as OMServerService.vbs and OM.vbs into the startup folder, alongside OMServerService.exe, a GoLang backdoor, into a public directory.

This backdoor connects to a hardcoded command-and-control (C2) domain, api.wordinfos[.]com, enabling data exfiltration.

On the client side, another GoLang backdoor, OMClientService.exe, is deployed to communicate with the same C2 domain, executing remote commands and, in some instances, packaging stolen files into RAR archives for extraction via tools like plink (a command-line SSH client).

Microsoft assesses with moderate confidence that Marbled Dust conducts reconnaissance to identify Output Messenger users before targeting them, signaling a strategic shift in their operational urgency.

This zero-day exploit not only grants access to user communications but also risks widespread credential compromise and operational disruptions by allowing the impersonation of users across the platform.

Mitigation and Urgent Recommendations

Microsoft urges immediate action to mitigate this threat, emphasizing the necessity of updating Output Messenger to the patched versions to neutralize CVE-2025-27920.

Organizations should enable cloud-delivered protection in Microsoft Defender Antivirus, deploy anomaly detection policies in Defender for Cloud Apps, and utilize vulnerability management tools like Microsoft Defender Vulnerability Management.

Additional safeguards include enforcing phishing-resistant authentication via Entra ID Conditional Access and activating attack surface reduction rules in Microsoft Defender XDR.

Microsoft also provides advanced hunting queries and detection alerts to identify Marbled Dust activity, such as connections to suspicious domains or the presence of malicious files like OMServerService.vbs.

With the group’s history of exploiting internet-facing vulnerabilities and DNS manipulation, continuous monitoring and a robust security posture are critical to thwart their evolving tactics.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!