Trkiye-affiliated threat operation Marbled Dust has exploited a newly discovered directory traversal vulnerability in the multi-platform enterprise chat app Output Messenger, tracked as CVE-2025-27920, in attacks against Kurdish military-linked users in Iraq as part of a cyberespionage campaign that has been underway since April 2024, The Cyber Express reports.
Intrusions by Marbled Dust, also known as Sea Turtle and UNC1326, commenced with the potential usage of typosquatted login portals and DNS hijacking to infiltrate Output Messenger's Server Manager, which was then followed by an upload of a malicious VBS file to the Windows startup folder, a report from Microsoft Threat Intelligence showed. Such a file then abuses the flaw to launch a legitimate service-spoofing Golang backdoor that facilitates command-and-control domain communications, host data delivery, and additional command execution activities that allow data compromise. Such findings indicate the Marbled Dust, which has commonly exploited known security bugs in its attacks, may have been expanding its capabilities or scrambling to meet its operational goals, according to the report.
Intrusions by Marbled Dust, also known as Sea Turtle and UNC1326, commenced with the potential usage of typosquatted login portals and DNS hijacking to infiltrate Output Messenger's Server Manager, which was then followed by an upload of a malicious VBS file to the Windows startup folder, a report from Microsoft Threat Intelligence showed. Such a file then abuses the flaw to launch a legitimate service-spoofing Golang backdoor that facilitates command-and-control domain communications, host data delivery, and additional command execution activities that allow data compromise. Such findings indicate the Marbled Dust, which has commonly exploited known security bugs in its attacks, may have been expanding its capabilities or scrambling to meet its operational goals, according to the report.
