CyberSecurity news
FlagThis
@www.microsoft.com
//
A zero-day vulnerability, identified as CVE-2025-27920, in the Output Messenger application is being actively exploited in espionage attacks. Microsoft Threat Intelligence has been tracking these attacks since April 2024, attributing the activity to a Türkiye-affiliated threat actor known as Marbled Dust. The vulnerability is a directory traversal flaw that allows attackers to access sensitive files outside the intended directory, potentially leading to data exfiltration and further exploitation. The targets of these attacks are primarily associated with the Kurdish military operating in Iraq, aligning with Marbled Dust's previously observed targeting priorities.
The exploitation involves gaining access to the Output Messenger Server Manager, enabling attackers to steal sensitive data, impersonate users, and deploy malicious payloads. Marbled Dust has been observed using this vulnerability to save malicious files to the startup folder, facilitating the execution of a GoLang-based backdoor. This backdoor enables full surveillance and command execution on the victim server, allowing the threat actors to steal user communications and pivot further into organizational infrastructure. The attackers also used Plink, a PuTTY SSH client for Windows, to establish outbound tunnels for data exfiltration.
Microsoft has notified Srimax, the developer of Output Messenger, about the vulnerability, and a software update has been issued to address the flaw. Additionally, Microsoft discovered a second vulnerability, CVE-2025-27921, for which Srimax has also released a patch, although no exploitation of this second vulnerability has been observed. Users are strongly advised to upgrade to the latest version of Output Messenger to mitigate the risk posed by Marbled Dust. Microsoft assesses that Marbled Dust operates as a Türkiye-affiliated espionage threat actor targeting government institutions and organizations in Europe and the Middle East that likely represent counter interests to the Turkish government.
ImgSrc: www.microsoft.c
References :
The exploitation involves gaining access to the Output Messenger Server Manager, enabling attackers to steal sensitive data, impersonate users, and deploy malicious payloads. Marbled Dust has been observed using this vulnerability to save malicious files to the startup folder, facilitating the execution of a GoLang-based backdoor. This backdoor enables full surveillance and command execution on the victim server, allowing the threat actors to steal user communications and pivot further into organizational infrastructure. The attackers also used Plink, a PuTTY SSH client for Windows, to establish outbound tunnels for data exfiltration.
Microsoft has notified Srimax, the developer of Output Messenger, about the vulnerability, and a software update has been issued to address the flaw. Additionally, Microsoft discovered a second vulnerability, CVE-2025-27921, for which Srimax has also released a patch, although no exploitation of this second vulnerability has been observed. Users are strongly advised to upgrade to the latest version of Output Messenger to mitigate the risk posed by Marbled Dust. Microsoft assesses that Marbled Dust operates as a Türkiye-affiliated espionage threat actor targeting government institutions and organizations in Europe and the Middle East that likely represent counter interests to the Turkish government.
ImgSrc: www.microsoft.c
Share:
References :
- The DefendOps Diaries: Understanding and Mitigating the Zero-Day Vulnerability in Output Messenger
- BleepingComputer: Output Messenger flaw exploited as zero-day in espionage attacks
- Microsoft Security Blog: Marbled Dust leverages zero-day in Output Messenger for regional espionage
- cyberinsider.com: Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
- www.microsoft.com: Marbled Dust leverages zero-day in Output Messenger for regional espionage
- securityonline.info: Türkiye-Linked Hackers Exploit Output Messenger Zero-Day (CVE-2025-27920) in Espionage Campaign
- thecyberexpress.com: Türkiye-linked Hackers Exploit Output Messenger Zero-Day in Targeted Espionage Campaign
- CyberInsider: Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
- The Register: Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq
- BleepingComputer: A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq.
- Talkback Resources: A Türkiye-backed cyberespionage group exploited a zero-day vulnerability in the Output Messenger messaging application, targeting users linked to the Kurdish military in Iraq.
- go.theregister.com: The Register article on Output Messenger Zero-Day
- securityonline.info: Microsoft Threat Intelligence has linked a regional cyber-espionage campaign exploiting a zero-day vulnerability in Output Messenger to the The post appeared first on SecurityOnline.
- securityaffairs.com: Security Affairs article on Output Messenger zero-day
- Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
- securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
- The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
- securityaffairs.com: A Türkiye-linked group used an Output Messenger zero-day to spy on Kurdish military targets in Iraq, collecting user data since April 2024.
- DataBreaches.Net: Turkish-linked cyber spies used a zero-day exploit housed in a popular chat software to target Kurdish military operations in Iraq, Microsoft Threat Intelligence reported Monday.
Classification:
- HashTags: #ZeroDay #OutputMessenger #Espionage
- Company: Output Messenger
- Target: Users in Iraq
- Attacker: Marbled Dust
- Product: Output Messenger
- Feature: unpatched vulnerability
- Malware: CVE-2025-27920
- Type: 0Day
- Severity: Medium