Full Report
A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. "These exploits have resulted in a collection of related user data from targets in Iraq," the Microsoft Threat Intelligence team said. "The targets of the attack are associated with the Kurdish
Analysis Summary
# Threat Actor: Marbled Dust (formerly Silicon, Cosmic Wolf, Sea Turtle, UNC1326)
## Attribution & Identity
* **Attribution:** A Türkiye-affiliated threat actor.
* **Aliases/Associated Groups:** Marbled Dust, Silicon, Cosmic Wolf, Sea Turtle, UNC1326.
* **Activity Span:** Believed to have been active since at least 2017.
## Activity Summary
The actor initiated a cyber espionage campaign starting in April 2024, capitalizing on a zero-day vulnerability (CVE-2025-27920) in the Indian enterprise communication platform, Output Messenger (version 2.0.62). The activity resulted in the collection of related user data from targets located in Iraq. Microsoft assesses that the actor performs reconnaissance to verify if targets use Output Messenger before deployment.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploited Output Messenger Zero-Day (CVE-2025-27920 – Directory Traversal).
* **Authentication Bypass/Credential Theft:** Believed to use techniques like DNS hijacking or typosquatted domains to intercept credentials required for existing authenticated access to the Output Messenger Server Manager application.
* **Persistence & Execution:** Dropped specific malicious files onto the target server startup folder (`OM.vbs`, `OMServerService.vbs`) and into the server's "Users/public/videos" directory (`OMServerService.exe`).
* **Lateral Movement/Internal Execution:** Used `OMServerService.vbs` to invoke `OM.vbs` and the main payload, `OMServerService.exe`.
* **Client Execution:** On the client side, the installer extracted and executed the legitimate `OutputMessenger.exe` alongside another backdoor, `OMClientService.exe`.
* **Data Staging:** Implemented Golang backdoors for subsequent operations.
## Targeting
* **Sectors:** Previously targeted telecommunication, media, Internet Service Providers (ISPs), information technology (IT)-service providers, and Kurdish websites.
* **Geography:** Targets observed in Iraq (current campaign) and the Netherlands (historical).
* **Victims:** Kurdish military operating in Iraq.
## Tools & Infrastructure
* **Malware Families:** Custom Golang backdoors (`OMServerService.exe` on the server, `OMClientService.exe` on the client).
* **Infrastructure (C2):**
* `api.wordinfos[.]com` (Used for connectivity checks and data exfiltration by the server backdoor).
* A hard-coded Command-and-Control (C2) domain (Used by the client backdoor).
## Implications
This campaign highlights Marbled Dust's focus on cyber espionage targeting Kurdish interests in the region. The use of a zero-day in a widely used enterprise communications tool (Output Messenger) demonstrates a sophisticated approach to gaining initial access and achieving persistence within targeted networks for data exfiltration.
## Mitigations
* Patch Output Messenger immediately to version 2.0.63 or later to fix CVE-2025-27920.
* Implement enhanced monitoring for DNS integrity to detect potential hijacking or typosquatting operations used for credential interception.
* Scrutinize server startup folders and public application directories for unexpected VBScript or executable files (`OM.vbs`, `OMServerService.vbs`, `OMServerService.exe`).
* Monitor outbound network traffic for unauthorized connections to the identified C2 infrastructure (`api.wordinfos[.]com`).