Output Messenger flaw exploited as zero-day in espionage assaults

A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to assault Output Messenger customers linked to the Kurdish navy in Iraq.

Microsoft Menace Intelligence analysts who noticed these assaults additionally found the security flaw (CVE-2025-27920) within the LAN messaging utility, a listing traversal vulnerability that may let authenticated attackers entry delicate recordsdata exterior the meant listing or deploy malicious payloads on the server’s startup folder.

“Attackers may entry recordsdata akin to configuration recordsdata, delicate consumer information, and even supply code, and relying on the file contents, this might result in additional exploitation, together with distant code execution,” Srimax, the app’s developer, explains in a security advisory issued in December when the bug was patched with the discharge of Output Messenger V2.0.63.

Microsoft revealed on Monday that the hacking group (additionally tracked as Sea Turtle, SILICON, and UNC1326) focused customers who hadn’t up to date their techniques to contaminate them with malware after having access to the Output Messenger Server Supervisor utility.

After compromising the server, Marbled Mud hackers may steal delicate information, entry all consumer communications, impersonate customers, acquire entry to inside techniques, and trigger operational disruptions.

“Whereas we at the moment would not have visibility into how Marbled Mud gained authentication in every occasion, we assess that the menace actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are methods leveraged by Marbled Mud in beforehand noticed malicious exercise,” Microsoft stated.

Subsequent, the attackers deployed a backdoor (OMServerService.exe) onto the victims’ gadgets, which checked connectivity towards an attacker-controlled command-and-control area (api.wordinfos[.]com) after which supplied the menace actors with extra info to determine every sufferer.

​In a single occasion, the Output Messenger consumer on a sufferer’s gadget linked to an IP tackle linked to the Marbled Mud menace group, doubtless for information exfiltration, shortly after the attacker instructed the malware to gather recordsdata and archive them as a RAR archive.

Marbled Mud is thought for concentrating on Europe and the Center East, specializing in telecommunications and IT firms, in addition to authorities establishments and organizations opposing the Turkish authorities.

To breach the networks of infrastructure suppliers, they’re scanning for vulnerabilities in internet-facing gadgets. They’re additionally exploiting their entry to compromised DNS registries to vary authorities organizations’ DNS server configurations, which permits them to intercept site visitors and steal credentials in man-in-the-middle assaults.

“This new assault indicators a notable shift in Marbled Mud’s functionality whereas sustaining consistency of their general strategy,” Microsoft added. “The profitable use of a zero-day exploit suggests a rise in technical sophistication and will additionally recommend that Marbled Mud’s concentrating on priorities have escalated or that their operational objectives have develop into extra pressing.”

Final yr, Marbled Mud was additionally linked to a number of espionage campaigns concentrating on organizations within the Netherlands, primarily concentrating on telecommunications firms, web service suppliers (ISPs), and Kurdish web sites between 2021 and 2023.