📌 Overview

In a newly uncovered campaign, Microsoft Threat Intelligence has linked the advanced persistent threat (APT) group Marbled Dust to the exploitation of a zero-day vulnerability in Output Messenger, a private messaging platform used by businesses worldwide.

Designated CVE-2025-27920, this vulnerability allows authenticated users to upload malicious files to the server’s Windows startup directory, enabling arbitrary code execution on the next reboot.

🕵️‍♂️ Attribution: The Marbled Dust Campaign

This exploit was actively used in a targeted espionage campaign aimed at Kurdish military-related entities in Iraq. Microsoft’s report suggests that the objective was long-term persistence and intelligence gathering rather than immediate disruption or financial gain.

Marbled Dust is known for regionally focused operations and has previously used custom-built malware and web shells to maintain covert access to systems.

🛠️ Vendor Security Advisory

• Srimax Official Advisory: Srimax, the developer of Output Messenger, has published an official advisory detailing the directory traversal vulnerability (CVE-2025-27920). The issue affects versions prior to 2.0.63 and allows remote attackers to access or execute arbitrary files by manipulating file paths with ../ sequences. Srimax has released version 2.0.63 to address this vulnerability.

🛠️ Technical Details

• Vulnerability ID: CVE-2025-27920
• Severity: High
• CVSS v3.1 Base Score: 8.2 (High)
  Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  🔍 This means it’s remotely exploitable, requires low complexity and authenticated access, and can result in high confidentiality and integrity impact.
• Attack Vector: Authenticated user uploads malicious file to the server startup path
• Impact: Remote Code Execution (RCE) on server restart
• Affected Product: Output Messenger Server (versions prior to latest patched release)

Attackers exploited a flaw in the file upload logic of Output Messenger that lacked proper validation and sanitization. Files placed in the server’s C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ path were automatically executed during system boot, enabling persistent backdoors.

🧠 Threat Intelligence and Exploitation Details

• Microsoft Security Blog: Microsoft Threat Intelligence has reported that the Türkiye-affiliated threat actor known as Marbled Dust exploited CVE-2025-27920 in targeted espionage campaigns against Kurdish military-linked users in Iraq. The attackers used the vulnerability to upload malicious files into the server’s startup directory, leading to arbitrary code execution.
• The Hacker News: An article detailing how Marbled Dust leveraged the zero-day vulnerability in Output Messenger to deploy Golang-based backdoors on targeted servers, facilitating data exfiltration and persistent access.
• 🛡️ Official Vulnerability Databases
• National Vulnerability Database (NVD): The NVD entry for CVE-2025-27920 provides a detailed description of the vulnerability, its impact, and references to vendor advisories.
• CISA Known Exploited Vulnerabilities Catalog: The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-27920 to its catalog of known exploited vulnerabilities, emphasizing the need for immediate remediation.

📋 Indicators of Compromise (IOCs)

🔍 SIEM Queries to Detect Exploitation

Elastic (KQL):

process where 
    file.path : "*\\Startup\\*" and 
    (file.name : "update.bat" or file.name : "*.exe") and 
    process.parent.name : "OutputMessengerServer.exe"

🔎 Adjust OutputMessengerServer.exe if your system logs show a different parent process name (e.g., OMServer.exe). You can confirm by inspecting actual events where legitimate or suspicious files are written.

Splunk (SPL):

index=sysmon EventCode=11 
(file_path="*\\Startup\\*" AND (file_name="update.bat" OR file_name="*.exe")) 
| join type=inner process_guid [ search index=sysmon EventCode=1 
  parent_process_name="OutputMessengerServer.exe" 
  | fields process_guid ]

🔁 EventCode 11 = File Creation, EventCode 1 = Process Creation. We’re using the process_guid to correlate the file creation with the Output Messenger server as the parent.

Microsoft Sentinel (Kusto):

DeviceFileEvents
| where FolderPath has @"Startup"
| where FileName has "update.bat" or FileName endswith ".exe"
| join kind=inner (
    DeviceProcessEvents
    | where FileName =~ "OutputMessengerServer.exe"
    | project InitiatingProcessId=ProcessId, DeviceId, Timestamp
) on DeviceId, InitiatingProcessId

⚠️ You may need to fine-tune the join depending on your actual ProcessId/InitiatingProcessId logging behavior in Microsoft Defender for Endpoint.

🛡️ Mitigation and Recommendations

• Update Immediately: Output Messenger has issued a patch addressing this vulnerability. Admins should update to the latest version without delay.
• Restrict Upload Paths: Harden file upload logic and avoid allowing arbitrary path writing.
• Monitor Startup Folder: Set up alerts for new files written to Windows startup directories.
• Least Privilege: Limit Output Messenger users’ access rights to avoid file write privileges to critical OS paths.

🧠 Takeaway

This incident highlights the growing trend of APT groups leveraging enterprise communication tools to gain long-term access to sensitive networks. It also underscores how zero-days in smaller, niche software can still have outsized impacts — especially in regions of geopolitical tension. Organizations relying on communication platforms like Output Messenger should consider enhanced monitoring and patching strategies, especially when used in high-risk or government-adjacent environments.