Ethical Hacking News
Cybersecurity experts warn of a new APT group exploiting a zero-day vulnerability in Output Messenger, targeting Kurdish military units operating in Iraq. The vulnerability allows attackers to access sensitive data, impersonate legitimate users, and compromise credentials, highlighting the need for immediate action by organizations operating in Iraq.
Marbled Dust APT group has been exploiting a zero-day vulnerability in Output Messenger to target Kurdish military units in Iraq. The vulnerability, CVE-2025-27920, allows attackers to access files outside of their intended directory and compromise credentials. Microsoft researchers have sounded the alarm over this threat, urging organizations to take immediate action to patch their software and implement robust security measures. The exploit represents a significant escalation in Marbled Dust's tactics, techniques, and procedures (TTPs) and could signal a more aggressive operational approach.
Cybersecurity experts have sounded the alarm after discovering that an APT (Advanced Persistent Threat) group, known as Marbled Dust, has been exploiting a zero-day vulnerability in the messaging app Output Messenger to target Kurdish military units operating in Iraq.
According to Microsoft researchers, who uncovered this threat, Marbled Dust has been actively exploiting this particular zero-day flaw since April 2024, allowing them to spy on and gather sensitive information about users of the Output Messenger app. This group is believed to be affiliated with Turkey and has a history of targeting organizations in Europe and the Middle East.
Output Messenger is a popular messaging app among Kurdish military personnel in Iraq, providing a secure means of communication that can also serve as an entry point for malicious actors like Marbled Dust. By exploiting this zero-day vulnerability, the APT group was able to gain unauthorized access to Output Messenger servers and deploy malicious files to users' devices.
The vulnerability itself is known as CVE-2025-27920, which represents a directory traversal flaw that can be exploited by attackers to access files outside of their intended directory. This allows an attacker to potentially expose sensitive data, impersonate legitimate users, and compromise credentials.
"This new attack signals a notable shift in Marbled Dust's capabilities while maintaining consistency in their overall approach," stated Microsoft researchers. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."
The Marbled Dust APT group has been active since at least 2017, primarily focusing on DNS hijacking as part of their campaigns. Over the years, they have enhanced their evasion capabilities to remain elusive from security detection.
This particular zero-day exploit represents a significant escalation in the tactics, techniques, and procedures (TTPs) employed by Marbled Dust. The vulnerability itself is critical, allowing attackers to access Output Messenger systems architecture to gain indiscriminate access to every user's communications, steal sensitive data, impersonate users, and compromise credentials.
"The threat actor can leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise," reads the report published by Microsoft.
In response to this new threat, cybersecurity experts urge organizations operating in Iraq, particularly those with Output Messenger apps installed on their devices, to take immediate action. This includes updating their software to patched versions and implementing robust security measures to prevent such attacks from succeeding in the future.
The incident serves as a reminder that zero-day exploits can be highly effective in breaching even the most secure systems, emphasizing the need for vigilance and proactive defense strategies among organizations worldwide.
In addition to this alert, Microsoft researchers have also highlighted concerns about the potential shift in targeting priorities by Marbled Dust. The successful exploitation of Output Messenger highlights an increase in technical sophistication on their part, which could signal a more aggressive operational approach or a growing emphasis on leveraging zero-day exploits to achieve their objectives.
This incident should serve as a wake-up call for organizations operating in Iraq and across the globe. As we move forward in this era of cybersecurity threats, it is essential that our defenses remain robust and adaptable, capable of detecting and responding to emerging vulnerabilities like the one exploited by Marbled Dust.
Summary:
An APT group known as Marbled Dust has been exploiting a zero-day vulnerability in Output Messenger to target Kurdish military personnel operating in Iraq. The vulnerability allows attackers to spy on users, steal sensitive information, and compromise credentials. Microsoft researchers have sounded the alarm over this threat, urging organizations to take immediate action to patch their software and implement robust security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/APT-Group-Exploits-Output-Messenger-Zero-Day-to-Target-Kurdish-Military-in-Iraq-ehn.shtml
https://securityaffairs.com/177758/apt/apt-group-exploited-output-messenger-zero-day-to-target-kurdish-military-operating-in-iraq.html
https://www.securityweek.com/output-messenger-zero-day-exploited-by-turkish-hackers-for-iraq-spying/
Published: Tue May 13 07:21:55 2025 by llama3.2 3B Q4_K_M
