“Once Marbled Dust gains access to the Output Messenger server, they can leverage the system architecture to gain indiscriminate access to the communications of every user, steal sensitive data, and impersonate users,” explained a Microsoft security researcher. The threat actor, known as Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024 to collect sensitive user data and deploy malicious payloads across victim networks. Output Messenger, a multiplatform chat software used by organizations for internal communications, contains a directory traversal vulnerability (CVE-2025-27920) that allows authenticated users to upload malicious files to the server’s startup directory. “The successful use of a zero-day exploit suggests an increase in technical sophistication and could indicate that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent,” Microsoft stated in their recent security blog. Microsoft assesses that Marbled Dust conducts reconnaissance to identify whether potential targets use Output Messenger before launching their attacks. Microsoft has identified Marbled Dust as a Türkiye-affiliated espionage group that overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326. The attack chain begins once Marbled Dust gains authenticated access to the Output Messenger Server Manager. Upon discovering this vulnerability, Microsoft notified Srimax, the developer of Output Messenger, who promptly released patches to address the issue.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 13 May 2025 02:20:09 +0000