Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software. These exploits have resulted in collection of related user data from targets in Iraq. Microsoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities.

Microsoft Threat Intelligence assesses with moderate confidence that Marbled Dust conducts reconnaissance to determine whether their targets are Output Messenger users and chooses this attack vector based on that knowledge. Successful exploitation allows the threat actor to deliver multiple malicious files and exfiltrate data from targets.

Upon discovering the Output Messenger zero-day vulnerability (CVE-2025-27920), Microsoft notified Srimax, the developer of the messaging app, who issued a software update. Microsoft also identified a second vulnerability in Output Messenger (CVE-2025-27921) for which Srimax has also released a patch; however, Microsoft has not observed exploitation of this second vulnerability. We acknowledge Srimax for their collaboration and for addressing both vulnerabilities.

In this blog, we present details on how Marbled Dust uses the Output Messenger zero-day exploit in the attack chain of this campaign. We also share mitigation and protection guidance, and detection details and hunting queries. Microsoft Threat Intelligence recommends users upgrade Output Messenger to its latest version to address the vulnerability leveraged by Marbled Dust.

Who is Marbled Dust?

Microsoft Threat Intelligence assesses that Marbled Dust operates as a Türkiye-affiliated espionage threat actor. Marbled Dust targets entities in Europe and the Middle East, particularly government institutions and organizations that likely represent counter interests to the Turkish government, as well as targets in the telecommunications and information technology sectors. Marbled Dust overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326.

In previous campaigns, Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internet-facing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers. They were also observed using access to compromised DNS registries and/or registrars to reset the DNS server configuration of government organizations in various countries to intercept traffic, enabling them to log and reuse stolen credentials.

This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.

Output Messenger zero-day

Microsoft security researchers identified the zero-day vulnerability exploited by Marbled Dust. This directory traversal vulnerability (CVE-2025-27920) in the Output Messenger Server Manager application could allow an authenticated user to upload malicious files into the server’s startup directory. Marbled Dust exploited this vulnerability to save the malicious file OMServerService.vbs to the startup folder.

The Output Messenger Server Manager application provides the server owner with the option to enable an output drive, allowing users to upload and download files from the server. Once this is enabled, any user can upload files to the server. By default, these files are stored at C:Program FilesOutput Messenger ServerOfflineMessagesTempFile on the server. Once a user is authenticated, they can upload a file and replace the “name” value in the request with their directory traversal string, for example, name=”../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs.

In the Output Messenger architecture, the client and server communicate to provide messaging, file sharing, and other collaborative features. When the client is launched, it connects to the server and sends user credentials to the server for validation before the server authenticates the user. Messages sent from the client are forwarded to the server, which acts as a relay. When a file is shared via the client, it can either be directly transferred to another user or stored on the server for later retrieval.

Once Marbled Dust gains access to the Output Messenger server, the threat actor can leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Attack chain

The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager application as an authenticated user. While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity.

Marbled Dust uses this foothold in a single victim to collect the user’s Output Messenger credentials and exploit the CVE-2025-27920 vulnerability, a directory traversal attack in the Output Messenger Server Manager application that allows an authenticated user to drop malicious files to the server’s startup directory. Marbled Dust drops the malicious files OM.vbs and OMServerService.vbs to the Output Messenger server startup folder and drops the malicious file OMServerService.exe to the server’s Users/public/videos directory.

Marbled Dust then uses OMServerService.vbs to call OM.vbs, which is passed to OMServerService.exe as an argument. At the time of reporting, file OM.vbs was not available for analysis. OMServerService.exe, on the other hand, is a GoLang backdoor masquerading as the legitimate file of the same name. GoLang is particularly effective in this case because it is not sensitive to OS versions. In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration.

On the client side, the installer extracts and executes both the legitimate file OutputMessenger.exe and OMClientService.exe, another GoLang backdoor that connects to a Marbled Dust command-and-control (C2) domain. This backdoor first performs a connectivity check via GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim. The response from the C2 is then directly executed using the command “cmd /c” which instructs the Windows command prompt to run a specific command and then terminate.

In at least one case, a victim device with the Output Messenger client software was observed connecting to an IP address attributed to Marbled Dust likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop. This connection to the Marbled Dust-attributed IP address is frequently accomplished using plink—the command-line version of the PuTTY SSH client for Windows.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Strengthen operating environment configuration

• Ensure that Output Messenger is updated to a version that is not affected by the vulnerability:
  • Version 2.0.63 for Windows
  • Version 2.0.62 for Server
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product.
• Create Defender for Cloud Apps anomaly detection policies.
• Use a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
•  Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Organizations can also use Microsoft Defender External Attack Surface Management (EASM), a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion   

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.   

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

Alerts with the following title in the security center can indicate threat activity on your network:

• Marbled Dust activity group

Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Traffic detected from IP addresses recommended for blocking
• Communication with suspicious domain identified by threat intelligence

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Marbled Dust actor profile

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries and component search

Microsoft Defender XDR component search

Microsoft Defender XDR customers can search for Output Messenger components in their environment through the XDR portal Intel explorer components search function.

Navigate to Intel Explorer. Search for “output messenger”. On the summary tab, scroll down to “Components on IP” and click the View all selection at the bottom to display the full results. Note: the results of the search may not include the version of the Output Messenger component.

Microsoft Defender XDR advanced hunting queries

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

OMServerService.vbs script

Surface devices that possess the OMServerService.vbs file that attempts to launch the Marbled Dust GoLang backdoor.

DeviceFileEvents
| where FileName == "OMServerService.vbs"
| where FolderPath has @"/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust C2

Surface devices that might have communicated with Marbled Dust C2.

let domainList = dynamic(["api.wordinfos.com"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Executable file or launch script (requires Microsoft Defender XDR)

Identify devices that might have the executable file or launch script present as part of this activity.

DeviceFileEvents
| where FileName == "OM.vbs" or FileName == "OMServerService.exe"
| where FolderPath has @"c:userspublicvideos"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust VBS script file hashes (requires Microsoft Defender XDR)

Search for the file hashes associated with the Marbled Dust VBS script files used in this activity.

let fileHashes = dynamic(["1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39", 
"2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63"]);
union
(
   DeviceFileEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
   DeviceEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
   DeviceImageLoadEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
   DeviceProcessEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Indicators of compromise

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Marbled Dust leverages zero-day in Output Messenger for regional espionage appeared first on Microsoft Security Blog.

Source: Microsoft Security