Microsoft spots zero-day use in spy campaign against Kurdish military in Iraq
A cyber-espionage group aligned with the Turkish government appears to have exploited a zero-day vulnerability in a messaging app to spy on Kurdish military operations in Iraq, researchers said Monday.
The hackers, tracked as Marbled Dust, have been breaking into accounts of Output Messenger — an app commonly used for workplace and organizational chats — since April 2024, according to Microsoft Threat Intelligence.
The team said it “assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities.” The Kurdish militant group PKK said Monday that it was disbanding and disarming after decades of conflict with Turkey. Most of Iraq’s Kurds live in a semi-autonomous region that has a border with Turkey.
Marbled Dust’s activities overlap with operations that other companies track as Sea Turtle or UNC1326. The hackers are known for targeting entities in Europe and the Middle East, “particularly government institutions and organizations that likely represent counter interests to the Turkish government, as well as targets in the telecommunications and information technology sectors,” Microsoft said.
The previously undocumented Output Messenger bug, CVE-2025-27920, could allow an authenticated user to upload malicious files into the server’s startup directory. Microsoft said it’s not sure how Marbled Dust got access to authenticated user accounts in every instance, but it’s possible that the group uses techniques like DNS hijacking or typosquatted domains to intercept web traffic and capture individuals’ credentials.
Output Messenger’s developer, India-based Srimax, issued an update for the software after Microsoft notified it of the vulnerability. The researchers said they also discovered a second bug, CVE-2025-27921, that does not appear to have been exploited. The Srimax patches cover that flaw, too.
Exploiting the first vulnerability could allow attackers to “gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise,” Microsoft said.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.