A Turkish-backed hacker group is using a zero-day vulnerability in Output Messenger to spy on Kurdish military targets in Iraq. Microsoft has linked this campaign to a group known as Marbled Dust, also tracked as Sea Turtle and UNC1326.
The espionage group has a long history of targeting organizations across Europe and the Middle East. Their focus includes government agencies, IT companies, telecom firms, and others tied to Turkish national interests.
In this latest campaign, Marbled Dust exploited a critical flaw, now identified as CVE-2025-27920, in Output Messenger. This enterprise messaging app, made by Indian software firm Srimax, had a serious directory traversal issue. The flaw allowed attackers to access or run unauthorized files on company servers.
Zero-Day Exploit Marks a New Phase
According to Microsoft, the group began using this vulnerability in April 2024. At the time, the issue had not yet been publicly disclosed or assigned a CVE number. Although a patch was released in December 2024, the CVE tag came much later, in May 2025.
This move marks a shift in the group’s tactics. Previously, Marbled Dust relied on known bugs or DNS hijacking to gain access. The use of a zero-day shows growing technical skills and possibly a more urgent mission.
Once inside a target system, the hackers used stolen credentials—likely obtained through typo-squatting or DNS attacks—to log into Output Messenger. From there, they uploaded malicious files to the server’s startup folder. This gave them long-term access and control.
The attackers then installed backdoors, which let them run commands and steal sensitive data. Microsoft believes the targets were members of the Kurdish military in Iraq, consistent with Marbled Dust’s usual focus.
Technical Details and Patch Guidance
CVE-2025-27920 affects Output Messenger version 2.0.62. It’s a directory traversal flaw, which means attackers can move outside restricted folders by using file path tricks like ../. This lets them view or change files that should be off-limits.
Srimax, the developer of the app, has confirmed the vulnerability. They urge users to update to version 2.0.63, which fixes this issue. Another vulnerability, CVE-2025-27921, was also patched in that version but has not been used in attacks so far.
Microsoft advises organizations to patch immediately. Any system still running older versions could be exposed. IT teams should also check access logs, monitor for odd file changes, and tighten server permissions.
