A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq. Microsoft Threat Intelligence analysts who spotted these attacks also discovered the security flaw (CVE-2025-27920) in the LAN messaging application, a directory traversal vulnerability that can let authenticated attackers access sensitive files outside the intended directory or deploy malicious payloads on the server’s startup folder. “Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution,” Srimax, the app’s developer, explains in a security advisory issued in December when the bug was patched with the release of Output Messenger V2.0.63. Microsoft revealed on Monday that the hacking group (also tracked as Sea Turtle, SILICON, and UNC1326) targeted users who hadn’t updated their systems to infect them with malware after gaining access to the Output Messenger Server Manager application. After compromising the server, Marbled Dust hackers could steal sensitive data, access all user communications, impersonate users, gain access to internal systems, and cause operational disruptions. “While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity,” Microsoft said. Next, the attackers deployed a backdoor (OMServerService.exe) onto the victims’ devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and then provided the threat actors with additional information to identify each victim.
Contact us : 0915579536
Or on the website digitalonion.ly
Visit us at our company address: Tripoli – Andalus Street – Next to the Iraqi Embassy.
Leave a Reply