A Turkish-affiliated threat actor, identified as “Marbled Dust,” has been exploiting a zero-day vulnerability in the Output Messenger application to conduct cyber espionage. The attacks, which reportedly began in April 2024, have primarily targeted entities in Europe and the Middle East, with a specific focus on Kurdish military personnel in Iraq and organizations with interests conflicting with the Turkish government. This campaign highlights a significant escalation in the group’s technical capabilities and operational urgency.
The core of the espionage activity revolves around a directory traversal vulnerability, tracked as CVE-2025-27920, found in Output Messenger, an enterprise communication platform developed by Indian company Srimax. Marbled Dust utilized techniques such as DNS hijacking to gain initial access to the Output Messenger Server Manager application. Subsequently, they exploited the zero-day flaw to upload malicious files, including GoLang-based backdoors, to the server’s startup directory. This allowed the attackers to steal sensitive data, impersonate users, and potentially disrupt operations.
In response to the threat, Microsoft Threat Intelligence notified Srimax, the developer of Output Messenger. Srimax has since released a software update (version 2.0.63) to address CVE-2025-27920 and a second cross-site scripting (XSS) vulnerability (CVE-2025-27921), although there is no evidence the latter was exploited. Both Microsoft and Srimax urge all Output Messenger users to upgrade to the latest version immediately to protect against these attacks. Security experts recommend implementing robust security measures, including enabling cloud-delivered protection and utilizing comprehensive vulnerability management systems.
