A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq.

Microsoft Threat Intelligence analysts who spotted these attacks also discovered the security flaw (CVE-2025-27920) in the LAN messaging application, a directory traversal vulnerability that can let authenticated attackers access sensitive files outside the intended directory or deploy malicious payloads on the server’s startup folder.

“Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution,” Srimax, the app’s developer, explains in a security advisory issued in December when the bug was patched with the release of Output Messenger V2.0.63.

Microsoft revealed on Monday that the hacking group (also tracked as Sea Turtle, SILICON, and UNC1326) targeted users who hadn’t updated their systems to infect them with malware after gaining access to the Output Messenger Server Manager application.

After compromising the server, Marbled Dust hackers could steal sensitive data, access all user communications, impersonate users, gain access to internal systems, and cause operational disruptions.

“While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity,” Microsoft said.

Next, the attackers deployed a backdoor (OMServerService.exe) onto the victims’ devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and then provided the threat actors with additional information to identify each victim.

​In one instance, the Output Messenger client on a victim’s device connected to an IP address linked to the Marbled Dust threat group, likely for data exfiltration, shortly after the attacker instructed the malware to collect files and archive them as a RAR archive.

Marbled Dust is known for targeting Europe and the Middle East, focusing on telecommunications and IT companies, as well as government institutions and organizations opposing the Turkish government.

To breach the networks of infrastructure providers, they’re scanning for vulnerabilities in internet-facing devices. They’re also exploiting their access to compromised DNS registries to change government organizations’ DNS server configurations, which allows them to intercept traffic and steal credentials in man-in-the-middle attacks.

“This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach,” Microsoft added. “The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.”

Last year, Marbled Dust was also linked to multiple espionage campaigns targeting organizations in the Netherlands, mainly targeting telecommunications companies, internet service providers (ISPs), and Kurdish websites between 2021 and 2023.