A Türkiye-affiliated threat group known as Marbled Dust (a.k.a. Sea Turtle, Teal Kurma, UNC1326) has exploited a zero-day vulnerability (CVE-2025-27920) in Output Messenger, an Indian enterprise communication tool, as part of a cyber-espionage campaign targeting Kurdish military personnel in Iraq since April 2024.

The attackers exploited a directory traversal flaw in version 2.0.62 of the software, enabling remote file access and arbitrary code execution. The vulnerability was patched in version 2.0.63 released in December 2024, though the vendor did not acknowledge active exploitation.

The attack chain involved:

Credential interception via DNS hijacking or typosquatting.

Dropping malicious files (e.g., OM.vbs, OMServerService.exe) on the server.

Deploying custom Golang backdoors to exfiltrate data via a C2 server (api.wordinfos[.]com).

Execution of commands via Windows Command Prompt (cmd /c).

Microsoft also reported a second vulnerability, CVE-2025-27921 (reflected XSS), though it has not been exploited in the wild. The campaign shows increased sophistication and a shift in targeting strategy by Marbled Dust, indicating evolving operational priorities.

‍