Inside the Output Messenger Zero-Day Campaign: How a Turkey-linked Group Spied on Kurdish Forces in Iraq

Between April 2024 and through late 2024/early 2025 Microsoft Threat Intelligence observed a Turkey-aligned espionage group — tracked as Marbled Dust (also linked by some vendors to cluster names such as Sea Turtle / UNC1326 variants) — exploiting a zero-day vulnerability in the enterprise messaging product Output Messenger to collect user data and deploy malicious payloads against Kurdish military-linked targets operating in Iraq. This campaign leveraged a previously unpatched flaw (recorded publicly as CVE-2025-27920) and demonstrates how niche enterprise collaboration tools can become high-value targets for regional intelligence operations. :contentReference[oaicite:1]{index=1}

Executive summary

  • Who: Marbled Dust — a Turkey-aligned cyber espionage cluster described in Microsoft reporting.
  • What: Exploitation of a zero-day in Output Messenger to access accounts, deliver malicious files, and exfiltrate data from Kurdish military-linked users in Iraq.
  • When: Microsoft observed activity since April 2024; public disclosure and coordinated reporting appeared in May 2025 after patching and CVE registration. :contentReference[oaicite:2]{index=2}
  • How: Reconnaissance to confirm adoption of Output Messenger by targets, exploitation of a directory traversal / arbitrary file access/remotely executable flaw (CVE-2025-27920), delivery of additional malicious artifacts (including Golang backdoors reported by some outlets), and data collection. :contentReference[oaicite:3]{index=3}
  • Impact: Sensitive communications associated with Kurdish security forces were exposed, enabling operational intelligence collection about movements, personnel, and plans.

Primary source & corroboration (what Microsoft and others reported)

Microsoft Threat Intelligence published a technical writeup that documents the campaign and their assessment that the actor exploited an Output Messenger zero-day to collect user data and deliver malicious files to targets in Iraq; Microsoft assessed the targets are associated with Kurdish military forces and that the actor chose the vector after recon confirming Output Messenger usage. Several cybersecurity outlets summarized and expanded on Microsoft’s findings (The Hacker News, SecurityWeek, DarkReading, etc.). :contentReference[oaicite:4]{index=4}

Timeline — from reconnaissance to public disclosure

  1. April 2024 — Microsoft observed initial exploitation activity against Output Messenger users in Iraq consistent with Marbled Dust targeting. :contentReference[oaicite:5]{index=5}
  2. Late 2024 — Vendor released fixes for the issue (reporting indicates the vulnerability was patched in December 2024 though a CVE entry appeared publicly in 2025). :contentReference[oaicite:6]{index=6}
  3. May 2025 — Microsoft publicly disclosed their findings and the security community published analyses highlighting the actor, the CVE identifier (CVE-2025-27920), and the operational impact. :contentReference[oaicite:7]{index=7}

Technical analysis — vulnerability and exploitation

The exploited flaw in Output Messenger has been described by Microsoft and other reporting as an issue that allowed attackers to access sensitive files and deliver malicious files via the server manager application, effectively functioning as a directory traversal/arbitrary file access and potential remote code execution vector when certain conditions were met. Successful exploitation enabled the threat actor to:

  • access user data stored by the application;
  • place or deliver further malicious artifacts (dropper/backdoor binaries);
  • exfiltrate information that could reveal organizational structure, operational plans, or identities of personnel. :contentReference[oaicite:8]{index=8}
Note: Microsoft assigned a high confidence assessment that the targets were Kurdish military-linked and a moderate confidence assessment that the group chose Output Messenger only after confirming its use by the targets (i.e., the choice of the vector was intelligence-driven rather than opportunistic). :contentReference[oaicite:9]{index=9}

Payloads & post-exploitation (what was deployed)

Public reporting indicates that after exploitation the actor delivered additional malicious files to targeted hosts. Some outlets reported Golang-based backdoors and remote access tools were used in follow-on activity; Microsoft’s blog describes multiple malicious files observed during the attacks without necessarily naming every artifact or hash in their public blog post. Treat the payload details as active, evolving intel that defenders should monitor closely. :contentReference[oaicite:10]{index=10}

Attribution & actor profile

Microsoft tracks the actor as Marbled Dust. This cluster has been associated by different vendors with other labels in the past; the important fact is the persistent regional targeting and the alignment of observed objectives with Turkish state interests. Historically, the group has targeted government, telecom, and IT sectors across Europe and the Middle East — and in this campaign specifically pursued intelligence about Kurdish military operations. Microsoft’s assessment is accompanied by contextual evidence (TTPs, target selection, infrastructure) that supports a Turkey-aligned designation. :contentReference[oaicite:11]{index=11}

Why Output Messenger was attractive to the actor

  • Enterprise collaboration tools centralize sensitive communications — a single compromise can yield high-value intelligence.
  • Smaller or specialized vendors are sometimes slower to have CVE entries and widespread patch adoption; that gap gives operators a long window for exploitation.
  • Marbled Dust appears to have performed reconnaissance to confirm the app’s presence in the target environment before weaponizing the bug — a precise, intelligence-led approach. :contentReference[oaicite:12]{index=12}

Operational impact — what this meant for Kurdish forces

For military or paramilitary organizations, compromise of internal messaging can expose:

  • personnel rosters and roles;
  • operational plans, meeting notes, and coordination messages;
  • communications with external partners and intelligence sources;
  • geolocation or movement plans derived from shared media or metadata.

In short, the actor could obtain time-sensitive human intelligence (HUMINT) that degrades operational security and force protection. Reported targeting of the Peshmerga and related Kurdish elements underscores the geopolitical stakes and how cyber operations can directly inform kinetic and political decision making. :contentReference[oaicite:13]{index=13}

Detection & hunting guidance (practical steps for defenders)

Use these as starting points — adjust to your environment, log availability, and threat model.

1. Patch & inventory

  • Confirm Output Messenger presence across the environment (servers and client installs). Maintain an up-to-date software inventory.
  • Ensure Output Messenger Server Manager and all associated components are patched to the vendor-released fixed versions. The vulnerability was publicly patched in late 2024; confirm version baselines. :contentReference[oaicite:14]{index=14}

2. Log collection & telemetry

  • Centralize server logs for Output Messenger, especially Server Manager access logs, file access events, and admin activity.
  • Instrument network logging for unusual external connections from Output Messenger servers and clients (be mindful of outbound C2 patterns and unusual egress to new infrastructure).

3. Hunt for suspicious artifacts and behavior

  • Search endpoint telemetry for newly introduced Golang binaries, unusual child processes spawned by Output Messenger processes, or files created in odd locations near the time of Server Manager access.
  • Hunt for unusual file exfil patterns linked to messaging application directories (compressed archives, Base64 blobs in HTTP POSTs, or SMB uploads to unexpected hosts).

4. Containment & remediation playbook

  1. If compromise suspected, isolate the affected Output Messenger server (network segmentation) and collect volatile evidence (memory, process lists) before shutdown for forensic preservation.
  2. Perform forensic imaging of servers and representative clients; collect application logs and configuration snapshots.
  3. Reset credentials for accounts exposed in the environment and rotate any shared keys or service credentials used by messaging infrastructure.

5. Indicators of compromise (IoCs)

Microsoft’s public post included contextual TTPs and high-level indicators; specific file hashes and internal artifacts may have been shared with partners and in private intel feeds. Public press pieces mention Golang backdoors in post-exploit activity but do not publish exhaustive hash lists in their public articles. Use vendor advisories, intelligence feeds, and Microsoft Threat Intelligence for enumerated IoCs. :contentReference[oaicite:15]{index=15}

Detection rule examples (conceptual)

# Example conceptual detection rules (pseudocode — adapt for your SIEM)
# 1) Suspicious binary creation near Output Messenger directories
search file_create where path contains "OutputMessenger" and file_extension in (".exe",".bin",".dll",".so",".go")

# 2) Unusual outbound connections from server manager
search network where source_process == "OutputMessenger.ServerManager" and dest_country not in ("trusted_countries") and dest_port not in (443,80,5222)

# 3) Credential resets after suspicious admin access
search auth where account_type == "service" and event == "password_change" and timestamp within last 24h

Mitigation checklist (short)

  • Apply vendor patches for Output Messenger (server & client) immediately.
  • Harden Server Manager: minimize exposure, restrict admin interfaces to management network, apply least privilege.
  • Enforce multi-factor authentication on all administrative accounts and service accounts where supported.
  • Endpoint detection: ensure EDR agents are present on messaging servers and critical clients and tuned to monitor unexpected binary writes and process spawns.
  • Threat intel: subscribe to vendor and national CERT advisories for IoCs and YARA rules.

Strategic & policy implications

This campaign is an illustrative case of several larger trends:

  • Small vendor, big consequences: Niche enterprise tools can be low-visibility but high value — adversaries will invest in finding and exploiting them when the return (sensitive communications) is significant.
  • Intelligence-led selection of vectors: Marbled Dust’s recon prior to exploitation shows mature targeting: confirm the target uses the app, then exploit. That reduces noise and maximizes impact.
  • Regional geopolitics drive cyber operations: Cyber espionage is being used as a direct extension of intelligence collection on regional military actors, rather than only for broad intellectual property theft or economic espionage.

What defenders, policymakers, and operators should watch next

  1. Monitor for follow-on targeting of other collaboration platforms — adversaries will pivot to other apps if Output Messenger is hardened or adoption declines.
  2. Expect a push for vendor supply-chain scrutiny and for national CERTs to emphasize hardening of messaging infrastructure for military and high-value organizations.
  3. Governments and NGOs operating in contested regions should treat messaging app choice as an operational security decision; evaluate vendor maturity, patch cadence, and exposure profile before adoption.

Responsible disclosure & vendor response

According to reporting, the Output Messenger vendor released fixes in late 2024 and the community received a public CVE (CVE-2025-27920) when coordinated disclosure and inventories were completed. This sequence (exploit observed in the wild → vendor patch → CVE assignment → public disclosure) underscores the need for faster vendor response and for customers to maintain good patching hygiene and inventories. :contentReference[oaicite:16]{index=16}

Appendix — Further reading & references

  • Microsoft Threat Intelligence: Marbled Dust leverages zero-day in Output Messenger for regional espionage. (May 12, 2025). :contentReference[oaicite:17]{index=17}
  • The Hacker News: coverage on exploitation and payloads. :contentReference[oaicite:18]{index=18}
  • SecurityWeek: analysis and timeline. :contentReference[oaicite:19]{index=19}
  • DarkReading: contextual reporting on the threat actor and regional implications. :contentReference[oaicite:20]{index=20}

Final thoughts. The Output Messenger zero-day campaign against Kurdish forces demonstrates how targeted, intelligence-driven cyber operations exploit relatively obscure enterprise software to extract high-value intelligence. The attack lifecycle here — reconnaissance to confirm app use, targeted exploitation, and follow-on payload delivery — is a textbook example of modern regional espionage that blends software vulnerabilities with traditional HUMINT goals. Defenders must treat collaboration platforms as crown jewels: inventory them, harden them, and instrument them for detection.

Sources: Microsoft Threat Intelligence (May 2025), The Hacker News, SecurityWeek, DarkReading and related reporting. :contentReference[oaicite:21]{index=21}

For more insights and updates on cybersecurity, AI advancements, and cyberespionage, visit NorthernTribe Insider. Stay secure, NorthernTribe.

Comments

Post a Comment

Popular posts from this blog

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file nam...
Read more

APT33 Expands Operations Targeting Aerospace, Satellite, and Energy Sectors Across the U.S., Europe, and Middle East

A renewed wave of cyber activity linked to the Iranian threat group APT33 has drawn attention to the increasing sophistication of state-aligned cyber operations targeting strategic industries worldwide. The group—also tracked under names such as Elfin, Refined Kitten, Magnallium, and Peach Sandstorm —has been associated with a series of campaigns affecting organizations in the aerospace, satellite, and energy sectors across the United States, Europe, and the Middle East . Unlike purely espionage-focused campaigns, recent operations attributed to APT33 appear to follow a dual-mandate strategy : collecting strategic intelligence while maintaining the capability to escalate into disruptive cyber activity if geopolitical conditions demand it. This blend of espionage and latent disruption reflects the evolving role of cyber operations as a strategic instrument of state power. APT33: A Long-Running Iranian Cyber Threat Actor APT33 is widely assessed by multiple threat intell...
Read more

Stealthy BITSLOTH Backdoor Exploits Windows BITS for Covert Communication

A newly discovered Windows backdoor, dubbed BITSLOTH, is making waves in the cybersecurity community for its cunning exploitation of the Background Intelligent Transfer Service (BITS) to facilitate stealthy communication. This advanced threat poses significant risks to organizations and individuals alike, highlighting the ever-evolving tactics of cybercriminals. Overview of BITSLOTH BITSLOTH leverages the legitimate Windows service BITS, which is typically used for background file transfers and updates, to establish a covert communication channel. Key features of this backdoor include: Stealthy Operations: By using BITS, BITSLOTH can blend in with normal network traffic, making it difficult for traditional security measures to detect its presence. Persistent Backdoor: Once installed, BITSLOTH creates a persistent backdoor that allows attackers to maintain long-term access to compromised systems. Data Exfiltration: The backdoor is capable of exfiltrating sensitive data from the targe...
Read more