When a zero-day flaw surfaces in an enterprise tool that no one talks about publicly, it’s tempting to write it off as niche. But Marbled Dust’s recent campaign exploiting CVE-2025-27920 in Output Messenger is anything but.
Microsoft Threat Intelligence has linked a string of targeted cyberattacks to Marbled Dust, a Türkiye-affiliated threat actor, using a previously unknown vulnerability in Output Messenger—a self-hosted enterprise chat app. The campaign, ongoing since April 2024, targeted Kurdish military-linked users in Iraq and reflects a growing shift in how regionally motivated cyber-espionage unfolds.
Output Messenger: The Tool You Didn’t Expect to Matter
Output Messenger isn’t WhatsApp or Slack. It’s a low-profile, multiplatform chat tool often used by organizations looking for on-prem communication. That makes it a perfect blind spot—not widely scrutinized, but widely trusted within internal networks. Marbled Dust saw the opportunity and pounced.
The attackers used CVE-2025-27920—a directory traversal flaw in Output Messenger Server Manager—to plant malicious scripts in the startup folder. From there, they executed a stealthy multi-stage backdoor deployment, with exfiltration domains and C2 infrastructure cleverly masked under seemingly benign domains like api.wordinfos[.]com.
Microsoft credits Srimax, Output Messenger’s vendor, for releasing timely patches (v2.0.62+), but many organizations are still unpatched. That’s where Marbled Dust gets its access.
Inside the Marbled Dust Attack Chain
The campaign starts with Marbled Dust gaining authenticated access to Output Messenger’s Server Manager. Microsoft isn’t entirely sure how those credentials are initially harvested, but suspects DNS hijacking and typo-squatted login portals—tactics the group has used before.
Once in, the threat actor uploads a malicious VBS file to the Windows startup folder, exploiting the directory traversal bug. This script launches OMServerService.exe, a GoLang backdoor disguised as a legitimate service file. GoLang offers a bonus: platform agnosticism and fewer signature-based detections.
The backdoor connects to Marbled Dust’s C2 domain, checks connectivity, sends host data, and then executes further commands based on what the attacker sends back. In one case, a victim’s device was seen uploading sensitive files packaged in a RAR archive using PuTTY’s command-line client, plink.exe, as the data exfiltration vehicle.
On the client side, users who downloaded infected Output Messenger installers got more than they expected. The installer bundled the legit OutputMessenger.exe with a secondary payload—OMClientService.exe, another GoLang backdoor pinging the same C2 endpoint.
Who Is Marbled Dust?
Microsoft links Marbled Dust to past DNS hijacking and credential-harvesting campaigns. The group overlaps with activity known as Sea Turtle (APT) and UNC1326, and has been observed targeting organizations with interests adverse to Ankara’s. Their focus areas include the Middle East and Europe, with recent emphasis on telecom and government sectors.
This campaign signals a shift. While earlier Marbled Dust activity relied on known vulnerabilities, the use of a true zero-day suggests either growing internal capabilities or increased urgency in their operational objectives.
Why The Output Messenger Exploit Matters
This is a lesson in how fringe enterprise tools can become high-value targets. While most security teams are busy patching the usual suspects (Office macros, web proxies, VPNs), tools like Output Messenger quietly hum along in the background—until someone like Marbled Dust takes interest.
And let’s be clear: this isn’t a commodity threat. It’s regional espionage with carefully picked targets and minimal noise. The entire campaign operated with precision, focused on credential theft, internal surveillance, and quiet access—not ransomware or mass disruption.
What You Should Do Now
Microsoft urges immediate patching of Output Messenger to versions 2.0.62 (server) and 2.0.63 (client). Organizations using this app should:
- Audit all current installations for signs of the exploit (look for unusual VBS and EXE files in startup directories)
- Monitor outbound connections to
api.wordinfos[.]com - Check for unauthorized use of plink.exe or outbound SSH sessions
- Isolate any systems communicating with suspicious C2 infrastructure
Marbled Dust’s campaign isn’t about splashy headlines. It’s quiet, focused, and a warning shot to organizations using obscure enterprise software without hardening them.
Zero-days don’t just live in browsers and VPNs anymore. They live in your internal chat apps, your ticketing systems, your software you forgot to watch. And attackers? They’re watching all of it.
