Ethical Hacking News
Turkish spies have been exploiting a zero-day vulnerability in a messaging app to collect sensitive information from the Kurdish army in Iraq. Marbled Dust, a Türkiye-affiliated espionage threat actor, has been using this vulnerability to steal user data belonging to the Kurdish military. The attack is believed to have begun over a year ago and takes advantage of a directory traversal vulnerability in Output Messenger version 2.0.62.
Microsoft has issued a warning about Marbled Dust, a Türkiye-affiliated espionage threat actor, exploiting a zero-day vulnerability in Output Messenger to collect sensitive information from the Kurdish army. The attack involves gaining access to an app running on the server, using DNS hijacking or typo-squatted domains to intercept and reuse credentials. Malicious files were dropped on the server startup folder, including a backdoor disguised as a legitimate file, which was used for data exfiltration. The malware connects to a Marbled Dust command-and-control (C2) domain, and infects Windows clients, extracting and executing additional backdoors. Users are urged to upgrade to Output Messenger version V2.0.63 to prevent exploitation of the vulnerability.
Microsoft has issued a warning about a new threat actor, Marbled Dust, which has been exploiting a zero-day vulnerability in a messaging app to collect sensitive information from the Kurdish army in Iraq. The attack, which began over a year ago, takes advantage of a directory traversal vulnerability in version 2.0.62 of Output Messenger, a commercial software that includes both client and server apps.
According to Microsoft's threat intelligence team, Marbled Dust, a Türkiye-affiliated espionage threat actor, abused the CVE-2025-27920 vulnerability to steal user data belonging to the Kurdish military in Iraq. The attack involves gaining access to an app that runs on the server, Output Messenger Server Manager, as an authenticated user, and then using DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials.
The crew behind the intrusions, which is tracked by Microsoft as Marbled Dust, also used this vulnerability to drop malicious files named OM.vbs and OMServerService.vbs on the Output Messenger server startup folder. They also sent another malicious executable, OMServerService.exe, to the server's Users/public/videos directory.
Once inside, the malware uses a backdoor written in Go and cleverly disguised as the legitimate file with the same name. "In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration," the researchers wrote. The attack also infects Windows clients, where it extracts and executes both the legitimate OutputMessenger.exe and another backdoor written in Go, OMClientService.exe.
This malicious software connects to a Marbled Dust command-and-control (C2) domain, and in at least one case, the victim device connected to an IP address linked to the group, "likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop," according to Microsoft.
Srimax, the developer of Output Messenger, admitted to the flaw and published a security advisory in which it revealed that "Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution." The company urges users to upgrade to Output Messenger version V2.0.63 to prevent miscreants from exploiting this bug.
Marbled Dust typically targets government institutions and organizations whose interests run counter to those of the Turkish government. Its activities overlap with threat groups tracked by other security researchers as Sea Turtle and UNC1326.
Microsoft's warning about Marbled Dust is a reminder of the ever-evolving nature of cyber threats, where new vulnerabilities are discovered every day. As technology advances, it also becomes more vulnerable to attacks from malicious actors.
The incident highlights the importance of keeping software up to date, as well as being cautious when using messaging apps and other software that can potentially be exploited by attackers. It is a sobering reminder that cybersecurity is not just about having the latest security patches installed, but also about using common sense and staying vigilant in the face of ever-evolving threats.
In recent years, we have seen numerous instances of nation-state actors exploiting vulnerabilities to steal sensitive information from various organizations around the world. This incident highlights the risks associated with these types of attacks and the importance of having a robust cybersecurity strategy in place.
The incident also serves as a reminder that the consequences of not taking cybersecurity seriously can be severe. It is essential for organizations to take the necessary steps to protect their systems and data from potential threats, including investing in robust security software, conducting regular vulnerability assessments, and staying informed about the latest cyber threats.
In conclusion, Marbled Dust's exploitation of the CVE-2025-27920 vulnerability highlights the importance of keeping software up to date and being cautious when using messaging apps and other software that can potentially be exploited by attackers. It serves as a reminder that cybersecurity is not just about having the latest security patches installed, but also about using common sense and staying vigilant in the face of ever-evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Turkish-Spies-Exploit-Zero-Day-Flaw-in-Messaging-App-to-Collect-Intel-on-Kurdish-Army-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spies_messaging_app/
https://nvd.nist.gov/vuln/detail/CVE-2025-27920
https://www.cvedetails.com/cve/CVE-2025-27920/
https://thecyberexpress.com/marbled-dust-exploit-output-messenger-zero-day/
https://www.infosecurity-magazine.com/news/turkish-apt-sea-turtle-resurfaces/
https://cybersecuritynews.com/sea-turtle-apt-group/
Published: Tue May 13 02:50:16 2025 by llama3.2 3B Q4_K_M
