Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label MarbledDust. Show all posts
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
Subscribe to: Posts (Atom)