A surge in targeted cyber espionage operations—orchestrated not just by rogue actors but by state-sponsored groups—has redefined threat landscapes for military and political organizations. One striking recent example involves a Türkiye-linked threat actor, dubbed “Marbled Dust” by Microsoft, exploiting a zero-day vulnerability in a widely used commercial messaging application to spy on the Kurdish military in Iraq. Critical details of this incident illustrate both the technical sophistication involved and the broader geopolitical context, which casts a complex shadow over cyber defense efforts in the Middle East.
In April 2024, attacks began exploiting a directory traversal vulnerability, tracked as CVE-2025-27920, in version 2.0.62 of Output Messenger—a client-server messaging app popular among organizations seeking secure, private channels for internal communications. The flaw allowed attackers to access sensitive files on the Output Messenger server, including configuration files, user data, and potentially even application source code. The vendor, Srimax, acknowledged the vulnerability and released a patch in December 2024, but as is often the case, not all users updated promptly, leaving a critical window for exploitation.
Once authenticated, the attackers leveraged CVE-2025-27920 to drop malicious scripts, OM.vbs and OMServerService.vbs, into the server's startup folder, ensuring persistence. These scripts chained together the installation of a specialized backdoor, OMServerService.exe, written in Go and camouflaged as a legitimate system executable. This backdoor established communications with a hardcoded domain (api.wordinfos[.]com), setting up a covert channel for data exfiltration.
Microsoft’s technical analysis revealed that the attack did not stop at the server. On client systems, the threat actor’s installer executed both the official OutputMessenger.exe and a secondary, malicious binary—OMClientService.exe—also compiled in Go. The second executable connected to Marbled Dust’s command-and-control (C2) infrastructure and, in observed cases, coordinated the collection and transfer of files from compromised endpoints.
Notably, the precision and layering of the attack—from initial access via real credentials, to exploitation of a zero-day, and the deployment of tailored backdoors—signaled an uptick in both capability and ambition for Marbled Dust. This escalation raised alarms among cybersecurity professionals, challenging assumptions about threat actor maturity and objectives.
The specific targeting of Kurdish military entities is deeply entwined with Türkiye’s longstanding opposition to Kurdish sovereign ambitions. The Kurdish people, an ethnic group with a homeland spanning parts of Iran, Iraq, Syria, and Türkiye, have pursued self-determination for generations—a pursuit frequently met with military, diplomatic, and now, cyber resistance from Ankara. The intelligence value of infiltrating Kurdish communication channels for Turkish-aligned interests is therefore considerable.
This strategic context means that such cyber intrusions are not isolated criminal acts, but part of a larger pattern of geopolitical contestation played out across physical and digital arenas.
Microsoft’s threat intelligence team detailed the operation in public reports, allowing the broader security community to update detection signatures, refine threat actor tracking, and bolster collective defenses. Their public attribution fulfills a crucial role: it alerts at-risk organizations, deters escalation by exposing adversary tradecraft, and fosters cooperation among regional defenders. Still, the uneven global cybersecurity terrain means not all organizations are equally equipped to leverage these insights.
The expansion of offensive cyber capabilities among regional powers means that future conflicts are likely to be shaped as much by digital stealth as by physical force. Tactical intelligence gathered from communication app intrusions feeds into broader military operations, shaping operational tempo and influencing outcomes at both tactical and strategic levels. The Kurdish experience is a microcosm of a wider trend, wherein even powerful adversaries must reckon with the risks of technical, bureaucratic, or cultural patching delays.
For individual users, teams, and entire defense infrastructures, the lessons are both sobering and actionable: assume compromise, anticipate escalation, and invest in resilience.
Source: theregister.com Turkish spies caught exploiting zero-day for over a year
The Exploitation of Messaging App Vulnerabilities: Anatomy of the Attack
In April 2024, attacks began exploiting a directory traversal vulnerability, tracked as CVE-2025-27920, in version 2.0.62 of Output Messenger—a client-server messaging app popular among organizations seeking secure, private channels for internal communications. The flaw allowed attackers to access sensitive files on the Output Messenger server, including configuration files, user data, and potentially even application source code. The vendor, Srimax, acknowledged the vulnerability and released a patch in December 2024, but as is often the case, not all users updated promptly, leaving a critical window for exploitation.Technical Breakdown: Step-by-Step Intrusion
Marbled Dust’s tactics reportedly began with reconnaissance and credential harvesting—an evolution from the group’s prior campaigns, which mostly exploited known internet-facing vulnerabilities and manipulated DNS infrastructures. In this incident, investigators from Microsoft’s threat intelligence unit could not irrefutably determine how the attackers authenticated to the Output Messenger Server, but their hypothesis carries weight: DNS hijacking or the use of typo-squatted domains likely allowed interception and reuse of legitimate credentials.Once authenticated, the attackers leveraged CVE-2025-27920 to drop malicious scripts, OM.vbs and OMServerService.vbs, into the server's startup folder, ensuring persistence. These scripts chained together the installation of a specialized backdoor, OMServerService.exe, written in Go and camouflaged as a legitimate system executable. This backdoor established communications with a hardcoded domain (api.wordinfos[.]com), setting up a covert channel for data exfiltration.
Microsoft’s technical analysis revealed that the attack did not stop at the server. On client systems, the threat actor’s installer executed both the official OutputMessenger.exe and a secondary, malicious binary—OMClientService.exe—also compiled in Go. The second executable connected to Marbled Dust’s command-and-control (C2) infrastructure and, in observed cases, coordinated the collection and transfer of files from compromised endpoints.
Notably, the precision and layering of the attack—from initial access via real credentials, to exploitation of a zero-day, and the deployment of tailored backdoors—signaled an uptick in both capability and ambition for Marbled Dust. This escalation raised alarms among cybersecurity professionals, challenging assumptions about threat actor maturity and objectives.
The Players: Marbled Dust, Sea Turtle, and Regional Tensions
Marbled Dust, according to Microsoft, overlaps with groups tracked by other security analysts as “Sea Turtle” and “UNC1326”—all sharing hallmarks of Turkish state interest. These threat actors have a well-established history of targeting organizations whose agendas clash with Turkish policy, often focusing on government and military agencies in the Middle East and beyond.The specific targeting of Kurdish military entities is deeply entwined with Türkiye’s longstanding opposition to Kurdish sovereign ambitions. The Kurdish people, an ethnic group with a homeland spanning parts of Iran, Iraq, Syria, and Türkiye, have pursued self-determination for generations—a pursuit frequently met with military, diplomatic, and now, cyber resistance from Ankara. The intelligence value of infiltrating Kurdish communication channels for Turkish-aligned interests is therefore considerable.
This strategic context means that such cyber intrusions are not isolated criminal acts, but part of a larger pattern of geopolitical contestation played out across physical and digital arenas.
Strengths and Sophistication: What Sets This Campaign Apart
1. Zero-Day Exploitation
The exploitation of a previously unknown (zero-day) vulnerability signifies a marked shift in the operational toolkit of Marbled Dust. While many threat actors rely on public exploits and outdated systems, the ability to discover and weaponize a new bug demands both advanced skills and persistent reconnaissance. According to Microsoft, prior Marbled Dust campaigns maximized known vulnerabilities; the leap to a zero-day not only accelerates their penetration timeline but suggests an investment in research or potent connections in the vulnerability black market.2. Multistage Persistence
Deploying both server and client backdoors, the attackers ensured multi-layered persistence within victim environments. The use of startup scripts alongside binaries written in Go—an increasingly common language for cross-platform malware—demonstrates adaptability and awareness of detection avoidance strategies.3. Credential Interception Tactics
The possible reliance on DNS hijacking or domain impersonation to capture valid credentials reflects “living off the land” methodologies that reduce the likelihood of triggering conventional intrusion alarms. By subverting normal authentication flows, attackers sidestepped brute-force detections and exploited trust relationships within organizational networks.4. Real-World Impact
Because Output Messenger is a commercial product deployed in military contexts, this campaign’s impact is empirically significant. Successful infiltration could yield sensitive correspondence, operational planning details, personal data, and potentially map social relationships within target organizations. The risk extends not just to direct data loss but to follow-on operations, such as spear-phishing or broader supply chain attacks.Risks: Patch Latency, Attribution, and Amplified Geopolitical Fallout
1. Patch Adoption Lag
Though Srimax released a patch (v2.0.63) as soon as December 2024, organizations—especially in the public sector or conflict zones—often face challenges with prompt patch management. Constraints can range from bureaucratic inertia to the technical complexity of updating mission-critical communications platforms without downtime. Each delay in adopting security updates expands the attackers’ exploitation window, underscoring a perennial weak spot in cyber hygiene.2. Unclear Initial Access
While Microsoft’s analysts suspect DNS-based credential theft, uncertainty around the precise method used to gain authenticated access limits concrete defensive recommendations. If attackers used techniques not previously seen, defenders may need to revise playbooks and implement behavioral monitoring rather than rely on static signatures or known bad indicators. The lack of full visibility should prompt caution for other Output Messenger users—even fully updated installations may be vulnerable if attackers develop additional, as-yet-undisclosed entry points.3. Escalation and Attribution
High-confidence attribution to state-affiliated groups inevitably ratchets up regional tension. In a fraught theater like the Middle East, such operations can catalyze tit-for-tat responses, not limited to the digital domain. Public attributions by large corporations like Microsoft lend credibility but are not judicial verdicts; adversaries may use “false flag” tactics to further muddy the waters, manipulating attribution as part of broader antagonistic strategies.4. Broader Threat Vectors
Output Messenger’s architecture—a server managing multiple client applications—means that once compromise is achieved, lateral movement inside an organization is plausible. Attack chains could extend to mapped file shares, adjacent applications, or linked accounts, amplifying the initial breach far beyond the chat app itself. Furthermore, the backdoor's use of hardcoded C2 domains allows security teams to hunt for beaconing activity, but also exposes organizations to rapid follow-up attacks should the group switch infrastructure.Security Vendor and Stakeholder Responses
Srimax, the Output Messenger developer, responded responsibly after being notified, releasing a patched version and publishing a security advisory that correctly outlined both the risk (directory traversal leading to potential remote code execution) and the urgency for all users to update. However, the speed and completeness of customer notification processes—and subsequent uptake—remain open questions. Srimax did not immediately comment to further media inquiries, leaving some uncertainty about the scope of the response.Microsoft’s threat intelligence team detailed the operation in public reports, allowing the broader security community to update detection signatures, refine threat actor tracking, and bolster collective defenses. Their public attribution fulfills a crucial role: it alerts at-risk organizations, deters escalation by exposing adversary tradecraft, and fosters cooperation among regional defenders. Still, the uneven global cybersecurity terrain means not all organizations are equally equipped to leverage these insights.
Lessons for Organizations: Proactive Defense in a New Threat Environment
Implement Rigorous Patch Management
The first and most urgent step is to audit all Output Messenger deployments and ensure they are running version 2.0.63 or later. Organizations should operationalize vulnerability management—not just for public-facing software but for all internal communications tools whose compromise could yield sensitive information.Monitor for Lateral Movement and Anomalous Behavior
Given the sophistication of credential harvesting tactics, relying solely on perimeter defenses is insufficient. Security teams should implement continuous monitoring for anomalous sign-ins, unexpected service restarts, or suspicious file creations, particularly files named OM.vbs, OMServerService.vbs, OMServerService.exe, and OMClientService.exe. Enable extended logging on DNS and authentication systems to denormalize unusual traffic patterns or intercontinental login attempts.Review DNS Security and User Education
DNS hijacking as a preliminary access vector remains underappreciated in many organizations. Lock down DNS registrar accounts, enforce multifactor authentication, and regularly audit DNS records against trusted baselines. Train users to recognize spoofed login pages, educate on strong password hygiene, and limit credential reuse across systems.Engage in Threat Intelligence Sharing
No single organization can independently counter the level of sophistication seen in this operation. Active participation in trusted threat intelligence sharing platforms accelerates detection, facilitates mitigation strategies, and enhances collective situational awareness, especially in sectors or regions known to be targets of geopolitically motivated actors.Broader Implications for Cyber Geopolitics
Marbled Dust’s evolution underscores the escalation of state-linked cyber operations from “commodity” exploit kits to custom research and sustained campaigns. The incident serves as a warning that even relatively niche or closed-group commercial applications have become attractive vectors for high-impact cyber espionage. For states facing persistent geopolitical friction—especially where nationhood, territory, or sovereignty are in question—cyber intrusions increasingly dovetail with conventional and diplomatic power plays.The expansion of offensive cyber capabilities among regional powers means that future conflicts are likely to be shaped as much by digital stealth as by physical force. Tactical intelligence gathered from communication app intrusions feeds into broader military operations, shaping operational tempo and influencing outcomes at both tactical and strategic levels. The Kurdish experience is a microcosm of a wider trend, wherein even powerful adversaries must reckon with the risks of technical, bureaucratic, or cultural patching delays.
Looking Forward: Adapting to New Norms
The continuous arms race between cyber defenders and attackers shows no signs of abating. As demonstrated by the Output Messenger exploitation, attackers’ reliance on zero-days and multifaceted intrusion chains will likely increase. For defenders, layered, adaptive security frameworks—combining rapid patching, behavioral analytics, robust DNS security, and a culture of cyber discipline—will prove essential. At a national and international level, advancing regulatory standards for software security and vendor disclosure, and encouraging prompt, transparent communication around vulnerabilities, remain urgent.For individual users, teams, and entire defense infrastructures, the lessons are both sobering and actionable: assume compromise, anticipate escalation, and invest in resilience.
Conclusion
The Marbled Dust campaign targeting the Kurdish military through Output Messenger shines a spotlight on the intersection of technological vulnerability and geopolitical ambition. It highlights the increasing technical prowess of regional threat actors, the enduring challenges of timely patching, and the urgency for a proactive, holistic defense strategy. As digital infrastructure becomes ever more entwined with critical political and military functions, both attackers and defenders are innovating at a breakneck pace. Staying ahead, therefore, is not just a matter of reactive security, but of strategic foresight—and a recognition that the front lines of modern conflict now run through both silicon and code.Source: theregister.com Turkish spies caught exploiting zero-day for over a year
