CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.
The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.
ImgSrc: blogger.googleu
References :
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.
The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.
ImgSrc: blogger.googleu
Share:
References :
- BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
- The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
- BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
- Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
- gbhackers.com: Gbhackers post on fortinet zero-day
- Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
- malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
- arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
- cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
- RedPacket Security: Fortinet Products Multiple Vulnerabilities
- securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
- The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
- www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
- www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
- socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
- Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
- Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
- arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
- Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
- securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
- The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
- www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
- securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
- Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products