The zero-day vulnerability in Output Messenger was exploited by the Marbled Dust group to conduct espionage activities

Vũ Nhật LâmVũ Nhật Lâm
5 min read

Overview

Since April 2024, Microsoft has reported that a hacker group named Marbled Dust has been exploiting a critical security vulnerability (code CVE-2025-27920) in the messaging application Output Messenger—a cross-platform chat software. This group targets accounts that have not updated the patch and has successfully collected user data from targets in Iraq.

The exploitation of the vulnerability allows hackers to send malicious files and steal data from the victim's system.

As soon as this vulnerability was discovered, Microsoft notified Srimax, the company that develops Output Messenger. Srimax quickly released a patch. At the same time, a second vulnerability (CVE-2025-27921) was also discovered by Microsoft and has been addressed by Srimax, although there is currently no sign of it being exploited.

In a detailed report, Microsoft also provided technical information on Marbled Dust's attack methods, risk mitigation guidelines, detection methods, and investigation tools.

Marbled Dust group

Microsoft assesses that Marbled Dust is a hacker group conducting espionage activities linked to Turkey. This group targets government, telecommunications, and IT organizations in Europe and the Middle East, especially those that may oppose the interests of the Turkish government.

In previous campaigns, Marbled Dust often attacked infrastructure with security vulnerabilities or took control of DNS to intercept traffic and steal login information.

According to Microsoft's assessment, the targeted victims are related to the Kurdish military forces operating in Iraq, aligning with Marbled Dust's previous attack patterns. Additionally, it is possible that the group conducted prior reconnaissance to determine if the victims were using Output Messenger before launching an attack. The latest attack shows the group's technical skills are improving, with the successful use of a zero-day vulnerability, and indicates that their targets and motives are becoming more urgent.

Zero-day Vulnerability in Output Messenger

Microsoft security experts discovered the zero-day vulnerability CVE-2025-27920 exploited by the Marbled Dust group. This is a directory traversal vulnerability in the Output Messenger Server Manager application, allowing an authenticated attacker to upload malicious files to the server's startup directory.

How the exploit works:

  • Output Messenger Server allows users to upload/download files if the administrator enables the "output drive" feature.

  • By default, these files are stored at: C:\Program Files\Output Messenger Server\OfflineMessages\Temp\1\File on the server.

  • After logging in, the attacker can insert a malicious path string into the "name" parameter to place the file in the Windows startup directory.
    Example: name="../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs

In this way, Marbled Dust uploaded the malicious file OMServerService.vbs into the startup folder, which runs automatically every time the system is restarted.

Serious Consequences After Server Takeover

Once Marbled Dust gains control of the Output Messenger server, they can:

  • Eavesdrop on all messages and shared data of every user in the system.

  • Impersonate users and steal sensitive data.

  • Disrupt operations, infiltrate the internal system, and expose numerous login credentials.

Output Messenger operates on a client-server model, where all messages and files must pass through the server—so if the server is compromised, the entire system is at risk.

Marbled Dust's Attack Chain on the Output Messenger System

The attack began when Marbled Dust gained access to the Output Messenger Server Manager as a legitimate user. Although it's unclear how the group obtained login credentials in each case, Microsoft believes they may have used techniques like DNS hijacking or typo-squatting to steal and reuse credentials—similar to the group's previous campaigns.

After gaining access, Marbled Dust exploited the CVE-2025-27920 vulnerability, allowing them to write malicious files to the server's startup directory. The group uploaded three files:

  • OM.vbs

  • OMServerService.vbs (placed in the startup directory)

  • OMServerService.exe (placed in the Users/Public/Videos directory)

The OMServerService.vbs file calls OM.vbs, passing it as an argument to OMServerService.exe. Although OM.vbs cannot currently be analyzed, Microsoft has identified OMServerService.exe as a backdoor written in the Go language, disguised as a legitimate file. GoLang is suitable for this attack because it doesn't depend on the operating system version. In some cases, this software connects to a fixed domain, api.wordinfos[.]com, to transmit stolen data.

Client-Side Attack

On the user's machine (client), the installer will automatically extract and run:

  • OutputMessenger.exe (a legitimate file)

  • OMClientService.exe (another backdoor written in GoLang)

This backdoor will:

  1. Send a GET request to check the connection to api.wordinfos[.]com

  2. Send additional information about the hostname to identify the victim

  3. If it receives a response from C2, it will execute the command directly through cmd /c – allowing the compromised machine to run any command sent by the attacker.

Data Extraction Behavior

In at least one instance, a computer with the Output Messenger client installed connected to an IP address associated with Marbled Dust at the same time the group collected files (in various formats) and compressed them into a .RAR file for sending. The external connection was made using Plink, PuTTY's command-line tool for the SSH protocol.

A diagram of the Marbled Dust attack chain

Recommendations

To enhance security, FPT Threat Intelligence provides the following recommendations to counter the attack:

  • Update the Output Messenger software to a version not affected by the vulnerability:

    • Version 2.0.63 for Windows

    • Version 2.0.62 for Server

  • Install antivirus software and set up endpoint monitoring to promptly detect and prevent attack behavior

  • Multi-factor authentication is also important to ensure the safety of employees and users

References

0
Subscribe to my newsletter

Read articles from Vũ Nhật Lâm directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Vũ Nhật Lâm
Vũ Nhật Lâm