Contact
OpenCTI Live Threat Report Feed

Marbled Dust leverages zero-day in Output Messenger for regional espionage

NetmanageIT OpenCTI - opencti.netmanageit.com

Daniel Bender

1 min read
Marbled Dust leverages zero-day in Output Messenger for regional espionage



SUMMARY :

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory traversal vulnerability in the Output Messenger Server Manager application, enabling authenticated users to upload malicious files to the server's startup directory. Marbled Dust's attack chain includes dropping malicious VBS and EXE files, using GoLang backdoors for data exfiltration, and leveraging the Output Messenger system architecture to access user communications and sensitive data.

OPENCTI LABELS :

backdoor,espionage,data exfiltration,zero-day,golang,directory traversal,iraq,cve-2025-27920,omserverservice.exe,cve-2025-27921,omserverservice.vbs,omclientservice.exe,kurdistan,output messenger,om.vbs


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Marbled Dust leverages zero-day in Output Messenger for regional espionage