In a significant new development in the realm of cyber espionage, a Turkish espionage group known as Marbled Dust exploited a zero-day vulnerability in the Output Messenger messaging application to collect sensitive information from the Kurdish military operating in Iraq. According to a report from Microsoft, the attacks leveraging this exploit have been ongoing since April 2024.
The vulnerability in question, identified as CVE-2025-27920, relates to a directory traversal flaw specifically present in version 2.0.62 of Output Messenger. Following the identification of the issue, the software developer Srimax released a software update in December 2024. However, the majority of users have yet to implement necessary fixes.
Marbled Dust, which operates under the auspices of Turkish intelligence, has historically targeted government entities and other organizations viewed as adversarial to Turkey’s interests. The group’s tactics were previously reported to involve scanning for vulnerabilities in internet-facing applications and devices, alongside the use of compromised DNS registrations for traffic interception, as noted by security researchers.
This recent campaign marks a noticeable escalation in the sophistication of Marbled Dust’s operational methods. Microsoft has highlighted that the threat actor’s utilization of the zero-day flaw is indicative of an intensified focus on securing access to sensitive military information, which suggests an urgent shift in their operational objectives. Users are strongly advised to upgrade to Output Messenger version 2.0.63 to mitigate this risk, as the cyber threat landscape evolves rapidly.