FlagThis - #golang

A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.


References :

• BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
• The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
• BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
• Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
• gbhackers.com: Gbhackers post on fortinet zero-day
• Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
• cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
• RedPacket Security: Fortinet Products Multiple Vulnerabilities
• securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
• The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
• www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
• www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
• socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
• Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
• Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
• securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
• The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
• www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
• securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
• Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Classification:

• HashTags: #API #Zeroday #RCE
• Company: Microsoft
• Target: Kurdish military servers
• Attacker: Türkiye-linked Hackers
• Product: Output Messenger
• Feature: Authenticated access
• Malware: Golang
• Type: 0Day
• Severity: Critical

Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem, revealing three malicious Go modules designed to wipe Linux systems. These modules, named github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy, contain obfuscated code that fetches next-stage payloads capable of irrevocably overwriting a Linux system's primary disk, rendering it unbootable. The attack, discovered in April 2025, highlights the dangers of direct dependency imports from public repositories and the effectiveness of code obfuscation in evading detection.

The malicious modules are designed to specifically target Linux environments. Upon execution, they retrieve a destructive shell script from a remote server using wget. This script, known as "done.sh," employs the Unix utility 'dd' to overwrite the entire primary disk ("/dev/sda") with zeroes. This process effectively eliminates the file system, operating system, and all user data, leaving affected systems crippled and data unrecoverable. According to Socket researcher Kush Pandya, this destructive method ensures no data recovery tool or forensic process can restore the data, emphasizing the extreme danger posed by modern supply-chain attacks.

This incident underscores the escalating risks present in open-source supply chains and the potential for seemingly trusted code to become devastating threats. The impact of such an attack includes complete data loss, prolonged operational downtime, and severe financial and reputational damage for affected organizations. Security experts recommend thorough dependency audits, the implementation of automated code scanning tools, and continuous monitoring solutions to detect obfuscated or suspicious behaviors in third-party packages as crucial mitigation steps.


References :

• Cyber Security News: Go‑Powered Supply‑Chain Hack Deploys Disk‑Wipers, Erasing Critical Data at Scale
• gbhackers.com: Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss
• The Hacker News: Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack
• gbhackers.com: Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss
• socket.dev: A single line of obfuscated Go code wiped entire disks clean.
• Talkback Resources: Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack [app] [mal]
• socket.dev: wget to Wipeout: Malicious Go Modules Fetch Destructive Payload
• securityaffairs.com: Malicious Go Modules designed to wipe Linux systems
• cyberpress.org: Go‑Powered Supply‑Chain Hack Deploys Disk‑Wipers, Erasing Critical Data at Scale
• Talkback Resources: Malicious Go Modules designed to wipe Linux systems [sys] [mal]
• www.scworld.com: Linux disk-wiping malware spread via Go modules
• BleepingComputer: Linux wiper malware hidden in malicious Go modules on GitHub

Classification:

• HashTags: #supplychainattack #golang #malware
• Target: Linux Systems
• Attacker: MintsLoader Authors
• Product: Go modules
• Feature: Supply Chain
• Malware: MintsLoader
• Type: Malware
• Severity: Disaster