Marbled Dust (formerly Silicon), a Türkiye-linked hacking group which is also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326, exploited a zero-day vulnerability in Output Messenger since April 2024. This Indian-made communication platform was targeted to infiltrate devices linked to the Kurdish military forces operating inside Iraq. The group used a directory traversal flaw, CVE-2025-27920, to execute malicious code and extract sensitive information from infected systems. Microsoft confirmed reconnaissance likely occurred beforehand to ensure targets were using the vulnerable version of Output Messenger.
The attackers gained access to the Output Messenger Server Manager by using stolen credentials captured through typosquatting or DNS hijacking.
Once inside, they exploited the flaw to place malicious files like “OM.vbs” into the system’s startup folders for persistence. These files launched a Golang-based backdoor named “OMServerService.exe,” which communicated with a hardcoded domain to exfiltrate user data. Meanwhile, on the client side, another backdoor named “OMClientService.exe” contacted a command-and-control server for further instructions.
The malware’s functions included connectivity checks and hostname reporting before downloading and executing new commands using Windows command-line tools.
This backdoor method allowed attackers to maintain access, impersonate users, and potentially disrupt operations or access sensitive communications. The activity represents a significant leap in technical sophistication for Marbled Dust, suggesting increasing urgency in its operations. Microsoft detected victim devices in Iraq connecting to IPs linked to previous Marbled Dust cyber espionage efforts.
A second vulnerability, CVE-2025-27921, involved reflected XSS in the same software version but has not been exploited yet. Output Messenger’s developer Srimax released patches to fix both flaws after being alerted by Microsoft in late 2024. Still, the lack of public disclosure about active exploitation raised concern about patch awareness among users of Output Messenger.
Microsoft warned that such flaws allow attackers wide-ranging control over internal communications and can disrupt secure operations if unpatched.
Reference:
