A Turkey-affiliated threat actor has been observed exploiting a zero-day vulnerability in Output Messenger against entities associated with the Kurdish military in Iraq, Microsoft reports.
The hacking group, tracked as Marbled Dust, Sea Turtle, and UNC1326, and known to focus on espionage, typically targets entities in Europe and the Middle East, including government, information technology, and telecommunications organizations, as well as other entities of interest to the Turkish government.
Marbled Dust was previously seen scanning internet-facing assets for known vulnerabilities it could exploit for initial access, as well as compromising DNS registries and/or registrars to snoop on government organizations and steal their credentials.
“This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent,” Microsoft notes.
Since April 2024, the threat actor has been targeting CVE-2025-27920, a vulnerability in the enterprise communication app Output Messenger. The flaw was patched in December 2024, but a CVE identifier was issued only this month.
The issue is described as a directory traversal flaw that could allow attackers to access sensitive files and expose private information, as well as to execute arbitrary code remotely.
“A directory traversal vulnerability was identified in Output Messenger version V2.0.62. This vulnerability allows remote attackers to access or execute arbitrary files by manipulating file paths with `../` sequences. By exploiting this flaw, attackers can navigate outside the intended directory, potentially exposing or modifying sensitive files on the server,” Srimax, the Indian company that develops the messaging application, notes in an advisory.
According to Microsoft, the security defect allows authenticated attackers to upload arbitrary files into the server’s startup directory.
Using compromised credentials, likely obtained via DNS hijacking or typo-squatting, Marbled Dust has been exploiting CVE-2025-27920 to deploy backdoors to the victims’ devices. The backdoors have allowed the attackers to execute arbitrary commands on the compromised systems, with the ultimate goal being the collection of valuable information.
“Microsoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities,” Microsoft explains.
CVE-2025-27920, along with a second vulnerability, which is tracked as CVE-2025-27921 and has not been exploited, was patched in Output Messenger version 2.0.63. Users are advised to update their applications as soon as possible.
Related: SAP Zero-Day Targeted Since January, Many Sectors Impacted
Related: Possible Zero-Day Patched in SonicWall SMA Appliances
Related: Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day
Related: Android Update Patches FreeType Vulnerability Exploited as Zero-Day
