Marbled Dust leverages zero-day in Output Messenger for regional espionage

SUMMARY :

Marbled Dust, a Türkiye-affiliated espionage threat actor, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attack targets Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. This campaign marks a shift in Marbled Dust's capabilities, suggesting increased technical sophistication. The vulnerability (CVE-2025-27920) in the Output Messenger Server Manager application enables authenticated users to upload malicious files to the server's startup directory. Marbled Dust's attack chain involves gaining authenticated access, exploiting the vulnerability, and deploying GoLang backdoors for data exfiltration and command execution. The threat actor's tactics include DNS hijacking and using typo-squatted domains to intercept credentials.

OPENCTI LABELS :

backdoor,espionage,zero-day,golang,iraq,dns hijacking,cve-2025-27920,omserverservice.exe,cve-2025-27921,omserverservice.vbs,omclientservice.exe,kurdistan,output messenger


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Marbled Dust leverages zero-day in Output Messenger for regional espionage