Output Messenger Flaw Exploited in Espionage Attacks

Nikita Shekhawat
Nikita Shekhawat

Marketing Analyst

 
May 13, 2025 4 min read

A Türkiye-backed cyberespionage group, known as Marbled Dust, exploited a zero-day vulnerability in Output Messenger, specifically targeting users linked to the Kurdish military in Iraq. The flaw, identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN messaging application. Microsoft Threat Intelligence analysts reported that this vulnerability could allow authenticated attackers to access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder. "Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," stated Srimax, the app's developer, in a security advisory released when the bug was patched with Output Messenger V2.0.63. The hacking group, also tracked as Sea Turtle and UNC1326, specifically targeted users who had not updated their systems. By compromising the Output Messenger Server Manager application, Marbled Dust hackers could steal sensitive data, access user communications, impersonate users, and disrupt operations. Microsoft assessed that Marbled Dust likely used DNS hijacking or typo-squatted domains to intercept and reuse credentials. After gaining access, the attackers deployed a backdoor (OMServerService.exe) onto victims' devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and provided further information to identify each victim. Attack chain In one instance, the Output Messenger client on a victim's device connected to an IP address linked to the Marbled Dust group for data exfiltration shortly after the malware was instructed to collect files and archive them. Known for targeting Europe and the Middle East, Marbled Dust focuses on telecommunications and IT companies, along with government organizations opposing the Turkish government. To breach networks, the group scans for vulnerabilities in internet-facing devices and exploits access to compromised DNS registries to alter DNS server configurations of government organizations, enabling them to intercept traffic and steal credentials in man-in-the-middle attacks. "This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft added. The use of a zero-day exploit indicates an increase in technical sophistication and escalation in targeting priorities. Last year, Marbled Dust was also linked to multiple espionage campaigns targeting organizations in the Netherlands, primarily in the telecommunications sector. For organizations using Output Messenger, it is crucial to implement robust cybersecurity monitoring and ensure timely updates to mitigate risks from such vulnerabilities.

Trends in Zero-Day Exploitation

Zero-days by year The Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from 98 in 2023 but an increase from 63 in 2022. The report indicates a shift towards targeting enterprise technologies, particularly security and networking products, while still showing interest in end-user platforms. Notable findings include that 44% of the zero-day vulnerabilities targeted enterprise products, up from 37% in 2023. Zero-day vulnerabilities in security software and appliances were particularly significant, comprising over 60% of all enterprise technology exploitation. This trend emphasizes the need for organizations to enhance their cybersecurity measures, particularly for enterprise-focused products. The report highlights that government-backed groups are responsible for over 50% of attributed zero-day exploitation, with a notable presence from the People's Republic of China and North Korean actors. The increased focus on enterprise technologies suggests that threat actors are looking for high-value targets that can provide extensive access and fewer detection opportunities. Organizations are encouraged to leverage cybersecurity monitoring solutions to remain vigilant against emerging threats and implement strategic content opportunities to address these vulnerabilities. GrackerAI provides an AI-powered platform for transforming security news into actionable insights, helping organizations to stay ahead of potential threats.

Response and Remediation Strategies

Upon the discovery of the zero-day vulnerability in Output Messenger, Srimax acted quickly to release patches for CVE-2025-27920 and a related vulnerability (CVE-2025-27921). Microsoft recommends that organizations using Output Messenger immediately upgrade to the latest version to mitigate risks. Key recommendations include:

  • Network Monitoring: Flag and review traffic to domains and IP addresses associated with Marbled Dust infrastructure, particularly api.wordinfos[.]com.
  • Malicious File Search: Actively search for known malicious file hashes and script names such as OMServerService.vbs, OMServerService.exe, and OMClientService.exe in endpoint and network logs.
  • Credential Reset: Assume that credentials handled by compromised Output Messenger instances are at risk; arrange for organization-wide password resets.

Additionally, organizations can utilize advanced detection and response tools to monitor network flows and maintain visibility across endpoints. GrackerAI’s tools assist in automating the generation of insights from industry developments, allowing marketing teams to create timely, relevant content for cybersecurity professionals. To explore our services or learn more about how GrackerAI can enhance your cybersecurity marketing efforts, visit GrackerAI.

Latest Cybersecurity Trends & Breaking News

Data Breaches Digest - Week 14 2025 LockBit Revelations Following Major Takedown

Nikita Shekhawat
Nikita Shekhawat

Marketing Analyst

 

Data analyst who identifies the high-opportunity keywords and content gaps that fuel GrackerAI's portal strategy. Transforms search data into actionable insights that drive 10x lead generation growth.

Related Articles

The Question Hub Strategy: How B2B SaaS Companies Capture AI Search Traffic

Learn how B2B SaaS companies use Question Hub strategy to capture ChatGPT, Claude & Perplexity traffic. 5-step process with real case studies & results.

By Deepak Gupta July 23, 2025 3 min read
Read full article

Google Adds Comparison Mode for Real-Time SEO Checks

Use Google’s new Search Console comparison mode for hourly SEO audits. Perfect for SaaS & cybersecurity marketers tracking real-time changes.

By Ankit Agarwal July 18, 2025 3 min read
Read full article

2025 Programmatic SEO Playbook: AI, Real-Time Data, and Market Domination

Master 2025 programmatic SEO with AI-powered content, real-time data integration, and dynamic optimization. Includes implementation guide and competitive advantages.

By Deepak Gupta July 6, 2025 10 min read
Read full article

Quality at Scale: How AI Solves Programmatic SEO's Biggest Challenge

Discover how AI transforms thin programmatic content into high-quality pages that survive Google's 2025 updates. Includes quality metrics and implementation guide.

By Deepak Gupta July 6, 2025 13 min read
Read full article