Marbled Dust leverages zero-day in Output Messenger for regional espionage

May 13, 2025, 8:30 a.m.

Description

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory traversal vulnerability in the Output Messenger Server Manager application, enabling authenticated users to upload malicious files to the server's startup directory. Marbled Dust's attack chain includes dropping malicious VBS and EXE files, using GoLang backdoors for data exfiltration, and leveraging the Output Messenger system architecture to access user communications and sensitive data.

External References

https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/
https://otx.alienvault.com/pulse/6822b546ebde3017fe5e277e
Tags
backdoor
espionage
zero-day
golang
data exfiltration
iraq
dns hijacking
CVE-2025-27920
CVE-2025-27921
2025-05-12
omserverservice.exe
omserverservice.vbs
omclientservice.exe
kurdistan
output messenger
2025-05-13
directory traversal
om.vbs

Date

  • Created: May 13, 2025, 2:58 a.m.
  • Published: May 13, 2025, 2:58 a.m.
  • Modified: May 13, 2025, 8:30 a.m.

Indicators

  • 2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63
  • 1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39
  • https://api.wordinfos.com
Download all indicators here!

Attack Patterns

  • OM.vbs
  • OMClientService.exe
  • OMServerService.exe
  • OMServerService.vbs
  • Marbled Dust

Additional Informations

  • Defense
  • Government
  • Iraq

Linked vulnerabilities

CVE-2025-27920

9.8
    Output Messenger
  • Output Messenger
Published: May 5, 2025

CVE-2025-27921

6.1
    Output Messenger
  • Output Messenger
Published: May 5, 2025