When a zero-day vulnerability appears in an enterprise tool that receives little public attention, it might seem easy to dismiss it as unimportant.
However, the recent campaign by Marbled Dust exploiting CVE-2025-27920 in Output Messenger proves otherwise.
Microsoft Threat Intelligence has connected a series of targeted cyberattacks to Marbled Dust, a threat group believed to be affiliated with Türkiye. The group exploited a previously unknown flaw in Output Messenger, a self-hosted enterprise chat application. Since April 2024, their campaign has focused on Kurdish military-related users in Iraq, reflecting a shift toward regionally motivated cyber-espionage.
Why Output Messenger Became a Target
Output Messenger is not as widely known as tools like WhatsApp or Slack. It is a relatively obscure chat platform used by organizations that prefer on-premises communication. This makes it a hidden vulnerability: not widely examined, but trusted within internal systems. Marbled Dust identified this gap and exploited it.
The attackers took advantage of CVE-2025-27920, a directory traversal issue in Output Messenger Server Manager, to drop malicious scripts into the system's startup folder. From there, they deployed a stealthy, multi-stage backdoor using infrastructure masked behind seemingly harmless domains like api.wordinfos[.]com.
Microsoft acknowledged that Srimax, the vendor behind Output Messenger, released patches in version 2.0.62 and later. However, many organizations have not updated their systems, which allowed the attackers to gain access.
How the Attack Works
Marbled Dust starts by obtaining authenticated access to Output Messenger’s Server Manager. Microsoft has not confirmed how they secure login credentials but suspects methods like DNS hijacking and fake login portals, which the group has used in the past.
Once inside, the attackers upload a malicious VBS file to the Windows startup folder. This script triggers OMServerService.exe, a GoLang-based backdoor that poses as a legitimate service file. GoLang's cross-platform nature and resistance to detection make it an ideal choice.
The backdoor connects to the group's control server, checks network access, sends system data, and executes further instructions from the attackers. In one case, a compromised device was seen sending sensitive documents packaged as a RAR archive using plink.exe, PuTTY’s command-line utility for secure data transfer.
On the user side, some victims unknowingly downloaded infected Output Messenger installers. These contained not only the legitimate OutputMessenger.exe but also a second payload, OMClientService.exe. This file is another GoLang-based backdoor that communicates with the same control server.
Who Is Behind Marbled Dust
Microsoft has linked Marbled Dust to past operations involving DNS hijacking and stolen credentials. The group has been associated with other campaigns attributed to Sea Turtle (APT) and UNC1326. They primarily target entities that oppose Turkish interests, focusing on regions like the Middle East and parts of Europe, especially within telecom and government sectors.
This campaign marks a significant escalation. While Marbled Dust previously used known vulnerabilities, the exploitation of a zero-day flaw suggests they have either developed stronger internal capabilities or are under greater pressure to act quickly.
Why This Matters
This case is a reminder that lesser-known enterprise tools can become high-value targets. While many security teams concentrate on commonly exploited software like office suites or VPNs, other internal applications can remain unpatched and unprotected. Marbled Dust capitalized on that blind spot.
This attack is not about widespread damage. It was calculated, silent, and aimed at stealing credentials, monitoring internal activity, and maintaining long-term access. There was no ransom note, just quiet espionage.
What You Should Do
Microsoft strongly recommends updating Output Messenger to version 2.0.62 for servers and 2.0.63 for clients. Organizations using this software should also:
- Review all installations for suspicious VBS or EXE files in startup folders
- Monitor outbound traffic to api.wordinfos[.]com
- Look for unexpected use of plink.exe or outbound SSH activity
- Quarantine any systems connected to suspicious command-and-control servers
This campaign is a wake-up call. Zero-day vulnerabilities are no longer limited to browsers or VPNs. They now exist in forgotten tools like chat apps and internal systems. And attackers are watching what you aren’t.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
