Turkish hackers exploit zero-day vulnerability in messenger to attack Kurdish servers

Microsoft has reported the discovery of a large-scale cyberespionage campaign carried out by a Turkish-linked hacker group called Marbled Dust. The attackers exploited a zero-day vulnerability in the Output Messenger messenger to install malicious backdoors on servers linked to Kurdish militias in Iraq.

The attack, which began in April 2024, targeted users of Output Messenger, a popular enterprise messaging app. The hackers first conducted reconnaissance to determine whether the target system was using the messenger, and then exploited a vulnerability, CVE-2025-27920. This vulnerability allowed remote command execution via directory traversal. As a result, malicious scripts and backdoors written in Golang were installed on the servers, which connected to command-and-control (C2) servers to steal data.

1. The criminals also resorted to DNS spoofing and the use of fake domain names to steal credentials. The backdoor called “OMServerService.exe” transmitted system information to the controlled servers and, in response, received and executed commands via cmd /c. On the client machines, in addition to the legitimate components of the messenger, an additional backdoor “OMClientService.exe” was installed.
2. The Marbled Dust group, which has been active since 2017, has several aliases, including Silicon, Sea Turtle, Cosmic Wolf, and others. They are known for attacks on telecommunications companies, media, IT services, and websites of the Kurdish diaspora in Europe. The first large-scale attacks were recorded by Cisco Talos in 2019. The vulnerability used in this attack was patched by the messenger developers in December 2024, but information about its active use was not disclosed in official reports.

3. This case demonstrates the increasing technical prowess of Marbled Dust, in particular their ability to use zero-day vulnerabilities for targeted attacks. It also confirms the increase in geopolitical cyberespionage by Turkey against Kurdish structures abroad.

4. Companies using Output Messenger are strongly advised to immediately update the program to version 2.0.63 and check their systems for signs of compromise.