In the rapidly evolving landscape of cyber-espionage, the convergence of zero-day vulnerabilities, niche third-party communications software, and geopolitically motivated actors presents formidable risks for organizations in sensitive regions. The recent disclosure by Microsoft Threat Intelligence regarding Marbled Dust’s exploitation of a zero-day vulnerability in Output Messenger—a popular internal messaging solution in select regions—brings into sharp focus the stakes of software hygiene and the relentless innovation among state-affiliated adversaries.
Microsoft’s investigation into the Marbled Dust campaign began in April 2024 when telemetry flagged unusual activity emanating from unpatched installations of Output Messenger in Iraq. Output Messenger, developed by Srimax, is widely used for its cross-platform chat and collaboration capabilities, often favored by organizations looking for local control over their messaging infrastructure rather than cloud-based alternatives. This architectural choice, while offering more direct control and privacy, can become a double-edged sword when patch deployment lags behind active exploitation.
The campaign centers around CVE-2025-27920, a critical directory traversal vulnerability in the Output Messenger Server Manager component. Directory traversal bugs are among the most damaging flaws, enabling authenticated users to break out of intended directories and manipulate files anywhere on the underlying system—often with catastrophic consequences. In Marbled Dust’s implementation, this allowed them to deliver malicious files directly to the server’s Windows startup directory, ensuring persistence and broad impact.
In past operations, Marbled Dust demonstrated proficiency in DNS hijacking and the subversion of registrar infrastructure—tactics that grant attackers far-reaching access to targeted network flows and authentication events. In this latest campaign, the group adapts its techniques, combining credential interception with zero-day exploitation, suggesting either an escalation in capability or a pivot in operational urgency.
The attack chain unfolds as follows:
Critically, the Output Messenger architecture relies on a server-centric model for message brokering. The compromise of a single server can thus expose the entire communication flow—potentially granting Marbled Dust carte blanche access to all conversations, shared files, and even system authentication events within an affected organization.
It is essential to approach attribution with appropriate caution. While technical evidence—such as malware signatures, C2 domains, and observed TTPs—strongly suggests Marbled Dust’s provenance, the possibility of false flags and recycled infrastructure is a perennial caveat in cyber intelligence. Nonetheless, cross-corroboration with other security reports lends credibility to Microsoft’s high-confidence determination.
Microsoft’s security guidance for Output Messenger users is clear:
Similarly, hunting for DNS queries to Marbled Dust domains, as well as searching for specific file hashes correlated with the VBS scripts, can provide early warning of compromise.
Security cannot be a matter of hope or habit; it must be a discipline—anchored in timely patching, constant vigilance, layered detection, and sector-specific threat intelligence. Only through this zero trust, zero complacency mindset can organizations outpace adversaries whose operational tempo is unceasing and whose patience stretches beyond conventional risk horizons.
For ongoing updates, Microsoft recommends following the Microsoft Threat Intelligence Blog and prioritizing the latest guidance within your security operations—because today’s seemingly obscure messaging vulnerability could be tomorrow’s critical breach vector.
Source: Microsoft Marbled Dust leverages zero-day in Output Messenger for regional espionage | Microsoft Security Blog
Anatomy of a Modern Espionage Campaign
Microsoft’s investigation into the Marbled Dust campaign began in April 2024 when telemetry flagged unusual activity emanating from unpatched installations of Output Messenger in Iraq. Output Messenger, developed by Srimax, is widely used for its cross-platform chat and collaboration capabilities, often favored by organizations looking for local control over their messaging infrastructure rather than cloud-based alternatives. This architectural choice, while offering more direct control and privacy, can become a double-edged sword when patch deployment lags behind active exploitation.The campaign centers around CVE-2025-27920, a critical directory traversal vulnerability in the Output Messenger Server Manager component. Directory traversal bugs are among the most damaging flaws, enabling authenticated users to break out of intended directories and manipulate files anywhere on the underlying system—often with catastrophic consequences. In Marbled Dust’s implementation, this allowed them to deliver malicious files directly to the server’s Windows startup directory, ensuring persistence and broad impact.
Marbled Dust: A Profile in Persistence and Adaptation
Microsoft identifies Marbled Dust as a Türkiye-affiliated espionage group that primarily targets government, telecommunications, and IT sector institutions across Europe and the Middle East. Other security firms track this threat as Sea Turtle or UNC1326, and a review of Marbled Dust’s operational history underscores a group methodically focused on reconnaissance, credential theft, and the exploitation of IT supply-chain weaknesses.In past operations, Marbled Dust demonstrated proficiency in DNS hijacking and the subversion of registrar infrastructure—tactics that grant attackers far-reaching access to targeted network flows and authentication events. In this latest campaign, the group adapts its techniques, combining credential interception with zero-day exploitation, suggesting either an escalation in capability or a pivot in operational urgency.
Technical Deep-Dive: Output Messenger Under Siege
At the heart of this espionage campaign lies a directory traversal vulnerability (CVE-2025-27920) enabling authenticated users to upload arbitrary files to Windows’ startup folders on the host server. By manipulating request parameters, specifically the “name” field, attackers can direct their uploads outside the designated temp directories and into sensitive OS locations. For context, the malicious payloads (notablyOMServerService.vbs and associated executables) are placed into the Startup directory, guaranteeing execution the next time the system or the relevant service starts up.The attack chain unfolds as follows:
- Initial Access: Marbled Dust acquires legitimate user credentials. While the precise method remains unclear in every instance, Microsoft assesses with moderate confidence this is achieved through phishing, DNS hijacking, or leveraging typo-squatted domains—tactics previously attributed to the group.
- Exploitation: Using the authenticated session, the attacker triggers the directory traversal flaw to plant their payloads in the startup directory.
- Payload Execution: The planted script (
OMServerService.vbs) executes a GoLang backdoor (OMServerService.exe), which masquerades as a legitimate Output Messenger component. GoLang, with its portable binaries, eases deployment across different Windows versions—a deliberate choice that signals technical sophistication. - Command and Control: The backdoor reaches out to a hardcoded C2 (command-and-control) domain (
api.wordinfos[.]com), fetching and executing attacker-supplied commands, siphoning host information, and exfiltrating key data. - Client-Side Intrusion: Parallel activity involves the deployment of another GoLang-based backdoor (
OMClientService.exe) on victim endpoints. This facilitates further reconnaissance, credential theft, and cementing of long-term access. - Data Exfiltration: In at least one observed case, the attackers employed
plink—the command-line variant of PuTTY’s SSH client—to establish connections for rapidly exfiltrating RAR-archived collections of files.
Exploit Execution: Why Directory Traversal Matters
This type of attack is particularly insidious within environments that rely on internal messaging systems for operational continuity or sensitive coordination, such as military or government entities. By hijacking the very infrastructure trusted for secure communications, attackers can surveil, impersonate, and disrupt, turning defensive IT assets against their owners.Critically, the Output Messenger architecture relies on a server-centric model for message brokering. The compromise of a single server can thus expose the entire communication flow—potentially granting Marbled Dust carte blanche access to all conversations, shared files, and even system authentication events within an affected organization.
Attribution and Geopolitical Implications
Microsoft’s assessment that Marbled Dust is Türkiye-affiliated aligns with broader trends in regionally targeted espionage campaigns. Their targeting has notably centered on the Kurdish military and allied organizations within Iraq, parallel to Türkiye’s longstanding strategic interests in Kurdish-controlled territories. The operational overlap with Sea Turtle underscores continuity in targets, TTPs (tools, techniques, procedures), and infrastructure.It is essential to approach attribution with appropriate caution. While technical evidence—such as malware signatures, C2 domains, and observed TTPs—strongly suggests Marbled Dust’s provenance, the possibility of false flags and recycled infrastructure is a perennial caveat in cyber intelligence. Nonetheless, cross-corroboration with other security reports lends credibility to Microsoft’s high-confidence determination.
Response and Remediation: Lessons for the Enterprise
The fallout from Marbled Dust’s exploitation of Output Messenger is instructive for security teams, not only regarding specific technical mitigations but also in Organizational risk calculus around third-party software.Patches and Workarounds
Upon disclosure, Srimax—Output Messenger’s vendor—moved with commendable speed, releasing patches for both the zero-day exploited in the wild (CVE-2025-27920) and a secondary related vulnerability (CVE-2025-27921) which, while not yet observed in active exploitation, presented a hypothetical risk. This prompt response, explicitly acknowledged by Microsoft, underscores the importance of rapid vendor cooperation in incident response.Microsoft’s security guidance for Output Messenger users is clear:
- Immediate software update: Any organization running Output Messenger must upgrade to the latest version, which addresses both vulnerabilities.
- Network monitoring: Flag and review traffic to domains and IP addresses associated with Marbled Dust infrastructure, particularly
api.wordinfos[.]com. - Malicious file search: Actively hunt for known malicious file hashes and script names—such as
OMServerService.vbs,OMServerService.exe, andOMClientService.exe—within endpoint and network logs. - Credential reset: Assume that credentials handled by compromised Output Messenger instances are compromised; schedule organization-wide password resets and audit for unauthorized account activity.
Detection and Hunting
For organizations leveraging Microsoft Defender XDR and Microsoft Defender for Endpoint, Microsoft has published specific detection queries that surface presence of Marbled Dust components, suspicious network communication, and execution of key payloads. For example:
Code:
DeviceFileEvents
| where FileName == "OMServerService.vbs"
| where FolderPath has @"/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFieldsBeyond Patch: Broader Strategic Defenses
Simply applying the vendor patch is not a panacea. The breadth of Marbled Dust’s campaign illustrates the need for systematic defense-in-depth:- Asset management and inventory: Know where Output Messenger (or similar niche software) is deployed in your environment and verify patch levels regularly.
- Credential isolation: Resist the temptation to reuse credentials across systems accessible from less-secure interfaces or software.
- Centralized monitoring: Leverage advanced EDR/XDR solutions to maintain visibility across endpoints, network flows, and cloud assets.
- Behavioral analytics: Augment signature-based detection with anomaly monitoring—particularly effective against novel payloads or zero-days not yet cataloged.
Critical Analysis: Notable Strengths and Lurking Risks
Strengths in Defense
- Rapid Vendor Collaboration: Srimax’s swift coordination with Microsoft exemplifies responsible vendor behavior and should serve as a blueprint for similar incidents.
- Granular Threat Intelligence: Microsoft’s publication of detailed TTPs, detection queries, and mitigation steps empowers defenders to move beyond reactive patching into proactive threat hunting.
- Modern EDR/XDR Integration: The campaign highlights the value of security tools capable of orchestrating detection and response across infrastructure—essential for matching the operational tempo of skilled adversaries.
Persistent and Emerging Risks
- Long Dwell Time Potential: The methods used by Marbled Dust, particularly reliance on legitimate credentials and internal messaging software, may enable persistent access that remains undiscovered for weeks or months—especially in organizations without mature monitoring.
- Supply Chain and Niche-ware Blind Spots: Output Messenger is not a household name but has deep penetration in certain verticals and geographical regions. Organizations must scrutinize the “long tail” of internal tools just as they would with widely used enterprise software.
- Directory Traversal’s Devastation: This flaw type recurs regularly in software ecosystems, often due to insufficient input validation. The widespread persistence of this bug class speaks to an enduring gap in secure development lifecycles.
- Cascading Credential Compromise: The ability to intercept, log, and reuse credentials—and potentially re-use them in entirely separate, more critical systems—is a core risk amplified by the modularity of modern threat actor toolkits.
Verifiability and Remaining Questions
While Microsoft and partner industry reports provide extensive technical detail, there remain points of uncertainty:- Initial Access Vectors: While Marbled Dust’s modus operandi involves credential interception via DNS hijacking and phishing, unequivocal attribution for every case remains elusive—a caution for defenders not to focus solely on a single vector.
- Malware Payload Evolution: The absence of some payloads for analysis (e.g., the
OM.vbsscript) leaves gaps in understanding the full spectrum of attacker capabilities and post-exploitation behavior. - Cross-Platform Implications: Given Output Messenger’s multiplatform support, it remains to be seen whether similar exploits or payloads exist for non-Windows deployments.
The Larger Inference: Vigilance and Agility Required
The Marbled Dust campaign offers a case study in the intersection of espionage, zero-day exploitation, and organizational neglect of patch ritual. It drives home several inescapable truths for security leaders:- Threat actors tailor their tooling to regional technologies, bypassing mainstream defense paradigms.
- Even “internal-only” tools—like corporate messaging suites—can become high-value targets, especially when trusted by organs of state, security, or infrastructure.
- Rapid, integrated threat intelligence sharing—between vendors, defenders, and software maintainers—is as essential as the eventual technology updates shipped to end users.
Proactive Measures: What Every Defender Should Do
- Audit installations of Output Messenger or any third-party messaging software; determine patch levels and prioritize upgrades.
- Monitor outbound traffic for connections to domains and IP addresses identified in threat intelligence reports for Marbled Dust or related activity.
- Hunt for artifacts using advanced detection rules—especially those matching file names or hashes of known malicious payloads.
- Educate users about credential phishing, DNS hijacking scenarios, and the importance of unique credentials per application.
- Prepare incident response checklists for software-specific zero-day scenarios, including rapid credential reset and root-cause review of privileged access.
Conclusion: The Enduring Imperative of Zero Trust
As demonstrated in the Output Messenger incident, modern cyber-espionage efforts relentlessly pursue any gap—whether it be an unpatched server, a weak perimeter device, or a latent software flaw. Attackers like Marbled Dust thrive in environments where internal communications are assumed to be sacrosanct or where patch cycles lag vendor advisories.Security cannot be a matter of hope or habit; it must be a discipline—anchored in timely patching, constant vigilance, layered detection, and sector-specific threat intelligence. Only through this zero trust, zero complacency mindset can organizations outpace adversaries whose operational tempo is unceasing and whose patience stretches beyond conventional risk horizons.
For ongoing updates, Microsoft recommends following the Microsoft Threat Intelligence Blog and prioritizing the latest guidance within your security operations—because today’s seemingly obscure messaging vulnerability could be tomorrow’s critical breach vector.
Source: Microsoft Marbled Dust leverages zero-day in Output Messenger for regional espionage | Microsoft Security Blog
