A türkiye-supported Siberspase Group exploited a zero-day vulnerability to attack output messenger users in Iraq.
Microsoft danger intelligence analysts saw these attacks, also discovered security defects (Cve-2025-27920) In the LAN messaging application, a directory traversal vulnerability that can allow certified attackers to reach sensitive files outside the directory or deploy malicious payloads on the server’s startup folder.
Developer of the app, Srimax, “Srimax,” Srimax, “Srimax,” Tell me In a security advisor released in December when the bug was patched with a release of output Messenger V2.0.63.
Microsoft on Monday revealed that the hacking group (also tracked as sea turtles, silicone and unC1326) was targeted to users who did not update their systems to infect with malware after achieving access to the output messenger server manager.
After compromising the server, marbled dust hackers can steal sensitive data, all users can use communication, replicate users, get access to internal systems, and cause operating disruption.
“While we currently do not have visibility of how dust is certified in each example, we assess that the danger takes advantage of intercept, log, and reesne credentials with actor DNS kidnapping or typo-wheat, as it is already leveraged techniques by marble dust in malicious activity seen already,” Microsoft said,
Next, the attackers deployed a back door (Osterverservice.exe) On the equipment of the victims, who examined connectivity against an attacker-controlled command-and-control domain (api.wordinfos (.) com) And then provided danger actors with additional information to identify each victim.
In an example, the output messenger client on a victim’s device is connected to an IP address that is connected to the Marble Dust Threat Group, possibly for data exfoliation, shortly after the attacker directed the malware to collect files and store files as RAR collection.
Marble Dust is known to target Europe and Middle East, focusing on telecommunications and IT companies, as well as government institutions and organizations opposing the Turkish government.
To break the network of infrastructure providers, they are scanning for weaknesses in internet-facing devices. They are also exploiting their reach to the DNS registries of government organizations to change the DNS server configuration, which allows them to intercept traffic and steal credensible in man-in-media attacks.
“This new attack indicates a remarkable change in the ability of marble dust while maintaining stability in its overall approach,” Microsoft said. “The successful use of a zero-day exploitation suggests an increase in technical sophistication and may also suggest that the target priorities of marble dust have increased or their operational goals have become more important.”
Last year, Marble Dust was also associated with several espionage operations targeting organizations in the Netherlands, mainly targeting Kurdish websites between telecom companies, Internet service providers (ISPs) and 2021 and 2023.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
