Ethical Hacking News
Turkey's Marbled Dust hackers have exploited a zero-day vulnerability in Output Messenger to drop Golang backdoors on Kurdish servers, resulting in the theft of sensitive user data from targets in Iraq. The attack marks a notable escalation in their capabilities and highlights the need for greater vigilance and cooperation between governments, cybersecurity experts, and tech companies.
A recent cyber attack by Turkey's Marbled Dust hackers exploited a zero-day vulnerability in an Indian enterprise communication platform, Output Messenger.The attackers dropped Golang backdoors on Kurdish servers, resulting in the theft of sensitive user data from targets in Iraq.Microsoft discovered two vulnerabilities: CVE-2025-27920 (directory traversal) and CVE-2025-27921 (reflected cross-site scripting), which were used by Marbled Dust to collect user credentials and drop payloads.The attack chain involves gaining access to the Output Messenger Server Manager application, collecting user credentials, and exploiting vulnerabilities to drop Golang backdoors on servers.Marbled Dust's use of a zero-day vulnerability indicates an increase in technical sophistication and targeting priorities, leaving security experts concerned about the vulnerability of Output Messenger users.
A recent cyber attack by Turkey's Marbled Dust hackers has left security experts stunned, as they successfully exploited a zero-day vulnerability in an Indian enterprise communication platform called Output Messenger to drop Golang backdoors on Kurdish servers. The attack, which began in April 2024, has resulted in the theft of a large amount of sensitive user data from targets in Iraq.
According to Microsoft Threat Intelligence team, these exploits have been used by Marbled Dust hackers to collect the user credentials and exploit CVE-2025-27920, a directory traversal vulnerability affecting version 2.0.62 that allows remote attackers to access or execute arbitrary files. The issue has been addressed by its developer Srimax as of late December 2024 with version 2.0.63.
The attack chain starts with the Marbled Dust hackers gaining access to the Output Messenger Server Manager application as an authenticated user. It is believed that they use techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. Once inside, they abuse the access to collect the user's Output Messenger credentials and exploit CVE-2025-27920 to drop payloads like "OM.vbs" and "OMServerService.vbs" to the server startup folder and "OMServerService.exe" to the server's "Users/public/videos" directory.
In the next phase, the Marbled Dust hackers use "OMServerService.vbs" to invoke "OM.vbs" and "OMServerService.exe," the latter of which is a Golang backdoor that contacts a hard-coded domain ("api.wordinfos[.]com") for data exfiltration. On the client side, the installer extracts and executes both the legitimate file OutputMessenger.exe and OMClientService.exe, another Golang backdoor that connects to a Marbled Dust command-and-control (C2) domain.
This backdoor first performs a connectivity check via a GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim. The response from the C2 is then directly executed using the command 'cmd /c' which instructs the Windows command prompt to run a specific command and then terminate.
Microsoft also discovered a second flaw, reflected cross-site scripting (XSS) vulnerability in the same version (CVE-2025-27921), although it said it found no evidence of it being weaponized in real-world attacks. This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach.
The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent. The incident has left security experts concerned, as it highlights the vulnerability of Output Messenger users to sophisticated cyber attacks.
In recent years, Marbled Dust hackers have been identified as targeting telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands. This attack marks a notable escalation in their capabilities and targets, with the use of a zero-day vulnerability to drop Golang backdoors on Kurdish servers.
The incident has also raised concerns about the security of Output Messenger users, who may not be aware that they are vulnerable to such attacks. The attack has also highlighted the need for greater vigilance and cooperation between governments, cybersecurity experts, and tech companies to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Turkeys-Marbled-Dust-Hackers-Exploit-Output-Messenger-Zero-Day-to-Steal-Kurdish-Data-ehn.shtml
https://thehackernews.com/2025/05/turkiye-hackers-exploited-output.html
Published: Tue May 13 03:07:34 2025 by llama3.2 3B Q4_K_M
