Full Report
Marbled Dust has been exploiting a vulnerability in user accounts associated with the Kurdish military operating in Iraq for over a year, according to Microsoft
Analysis Summary
# Threat Actor: Marbled Dust
## Attribution & Identity
* **Identification:** A cyber threat group tracked as **Marbled Dust** by Microsoft Threat Intelligence.
* **Attribution:** Believed to align with **Turkish government interests**.
* **Aliases/Associations:** None explicitly mentioned other than the tracking name "Marbled Dust."
## Activity Summary
* **Campaign Focus:** A cyber-espionage campaign detected by Microsoft Threat Intelligence, ongoing since at least **April 2024**.
* **Exploitation:** The group was observed exploiting an unpatched vulnerability in the Output Messenger application to target specific users.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of the zero-day vulnerability **CVE-2025-27920** in **Output Messenger** (versions prior to 2.0.63).
* **Vulnerability Mechanism:** Directory traversal attack resulting from improper file path handling (using `../` sequences in parameters).
* **Impact:** Potential for configuration leakage or arbitrary file access, leading to account compromise.
* **MITRE ATT&CK Information:** CVE-2025-27920 suggests a focus on **T1190 (Exploit Public-Facing Application)**.
## Targeting
* **Sectors:** Not explicitly detailed, but the nature of the target suggests government-adjacent or military entities.
* **Geography:** Targets located in **Iraq**.
* **Victims:** Users associated with the **Kurdish military operating in Iraq**.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly mentioned in the provided text snippet.
* **Infrastructure:** Not explicitly detailed (no C2 domains or IPs provided).
## Implications
* **Geopolitical Motivation:** This activity strongly suggests a state-sponsored cyber-espionage operation aimed at gathering intelligence on Kurdish military elements operating in Iraq, aligning with Turkish strategic interests.
* **Risk:** The use of a zero-day vulnerability (CVE-2025-27920) indicates a sophisticated initial access capability, posing a significant risk to organizations using the targeted unpatched software.
## Mitigations
* **Patching:** Immediately update **Output Messenger** to version 2.0.63 or later to remediate **CVE-2025-27920**.
* **Application Hardening:** Verify that applications handle user input parameters, especially file paths, robustly to prevent directory traversal attacks.
* **Proactive Monitoring:** Monitor network traffic and system logs for indicators related to the exploitation vectors used by Marbled Dust, particularly around file access attempts indicating directory traversal sequences.