Microsoft’s Threat Intelligence team has uncovered a sophisticated cyberespionage campaign by the Türkiye-affiliated threat actor dubbed ‘Marbled Dust,’ exploiting a previously unknown zero-day vulnerability in Output Messenger, a popular enterprise messaging app. The operation, active since April 2024, has primarily targeted Kurdish military personnel in Iraq.
The exploited vulnerability, tracked as CVE-2025-27920, is a directory traversal flaw in Output Messenger's Server Manager application. It allows authenticated users to upload malicious files to the server’s startup folder. Marbled Dust used this flaw to deliver and execute malicious scripts and backdoors, enabling extensive surveillance, data theft, and potential impersonation of users.
Microsoft observed the actor leveraging this access to deploy files such as OMServerService.vbs and OMServerService.exe, which establish persistent command-and-control communications. One backdoor, written in GoLang, performs victim identification before exfiltrating data to IP addresses linked to Marbled Dust operations.
Microsoft assesses with moderate confidence that Marbled Dust used techniques like DNS hijacking and typo-squatted domains to harvest credentials needed to authenticate before exploiting the zero-day vulnerability.
“In at least one case, a victim device with the Output Messenger client software was observed connecting to an IP address attributed to Marbled Dust likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop,” the report notes. “This connection to the Marbled Dust-attributed IP address is frequently accomplished using plink—the command-line version of the PuTTY SSH client for Windows.”
Srimax, the developer of Output Messenger, issued patches for CVE-2025-27920 and a second, unexploited vulnerability (CVE-2025-27921) following Microsoft's disclosure.