Turkish spies, identified as the Marbled Dust group by Microsoft, exploited a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app, targeting the Kurdish army in Iraq. This exploitation began in April 2024, following the discovery of a directory traversal vulnerability in the app. Despite an update released in December to patch the flaw, many users remained unprotected. The attacks signify a shift in Marbled Dust's methods, reflecting either an increase in technical capabilities or a shift in their targeting strategy, as they traditionally exploited known bugs in apps and infrastructure.
Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation.
The crew behind the intrusions, a Türkiye-affiliated espionage threat actor that Microsoft tracks as Marbled Dust, abused the flaw to steal user data belonging to the Kurdish military.
Collection
[
|
...
]