The attack targeted users in Iraq, specifically individuals associated with the Kurdish military. The hackers used a previously unknown flaw to collect sensitive user data. Microsoft has linked the activity to a threat group it tracks as Marbled Dust, also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326.
Marbled Dust has been active since at least 2017 and has previously targeted organizations in the Middle East and North Africa. In early 2024, the group was also observed targeting Kurdish websites and technology infrastructure in the Netherlands.
Exploited Vulnerability: CVE-2025-27920
The hackers exploited a critical security flaw identified as CVE-2025-27920 in Output Messenger version 2.0.62. This directory traversal vulnerability allowed remote attackers to access or execute arbitrary files on the server. The app's developer, Srimax, released a patched version (2.0.63) in December 2024, but did not mention active exploitation in its advisory.
According to Microsoft, Marbled Dust first conducted reconnaissance to find Output Messenger users among their targets. They then exploited the zero-day vulnerability to install malicious scripts and backdoor programs on victims’ systems.
How the Attack Works
The attack began with the hackers gaining access to the Output Messenger Server Manager using stolen credentials. It's believed they used methods like DNS hijacking or typosquatted domains to intercept login data.
Once inside, they installed malicious files such as:
• OM.vbs and OMServerService.vbs in the server startup folder
• OMServerService.exe, a Golang-based backdoor, in the “Users/public/videos” folder
This backdoor connected to a hardcoded domain api.wordinfos[.]com to exfiltrate stolen data. On the client side, another Golang backdoor named OMClientService.exe was used. It also connected to the same command-and-control (C2) domain to identify the victim and run malicious commands.
In one confirmed case, a victim device using Output Messenger was found connecting to an IP address previously linked to Marbled Dust’s data theft operations.
Additional Vulnerability Discovered
Microsoft also discovered a second flaw in the same version of Output Messenger — a reflected cross-site scripting (XSS) vulnerability labeled CVE-2025-27921. However, there is no evidence this vulnerability has been used in real-world attacks so far.
Growing Sophistication
Microsoft stated that the successful use of a zero-day exploit shows increased technical skills by Marbled Dust. “This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach,” the company said.
The incident highlights growing threats from state-affiliated hacking groups and the importance of keeping enterprise communication tools up to date with the latest security patches. Microsoft urged organizations to apply all updates and monitor for unusual activity related to Output Messenger.
Source - The Hacker News
Tags:
Cybercrime in World
