{"uuid": "c4361114-bf44-43af-9d12-bc1bbed7f0fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-27920", "type": "published-proof-of-concept", "source": "https://t.me/SpiderCodeCommunity1/225", "content": "Zero-Day Attack Targets Sensitive Kurdish Entities in Iraq \u2013 CVE-2025-27920 Analysis\n\nDate: May 13, 2025\nAuthor: Mohamed Ahmed Abo El-Yazid\n\n\n---\n\nDear friend,\nBefore we begin\u2014thank you for the incredible support. The better the support, the better we become together.\n\n\n---\n\nOverview of the Attack\n\nOn the morning of May 13, 2025, a cyber espionage attack targeting sensitive and critical entities in Iraq was uncovered. The threat actor behind the operation is a T\u00fcrkiye-affiliated group known as:\n\nMarbled Dust\n\nAlso known as: Cosmic Wolf, Sea Turtle, Teal Kurma, UNC1326\n\n\nThis campaign has reportedly been active since April 2024.\n\n\n---\n\nVulnerability Information\n\nThe attackers exploited a zero-day vulnerability in the enterprise communication platform Output Messenger, specifically affecting versions 2.0.62 and earlier.\n\nCVE: CVE-2025-27920\n\nType: Directory Traversal Vulnerability\n\nAffected Component: Server Manager application\n\nRisk Level (estimated): 7.5+ (pending CVSS official rating)\n\n\nTechnical Description:\n\nThis vulnerability allows authenticated remote attackers to access system files or execute unauthorized scripts by exploiting weak path validation logic inside the Output Messenger Server Manager.\n\n\n---\n\nAttack Chain Breakdown\n\n1. Initial Access:\nAttacker gains access to Output Messenger Server as an authenticated user (possibly via DNS hijacking or typosquatting to steal credentials).\n\n\n2. Exploitation:\nUsing CVE-2025-27920, the attacker drops malicious payloads in critical folders like the server startup directory and the Public/Videos folder.\n\n\n3. Payloads Used:\n\nOM.vbs: Executes other malicious files.\n\nOMServerService.vbs: Triggers the Golang backdoor.\n\nOMServerService.exe: A Golang-based backdoor.\n\nOMClientService.exe: Another Golang backdoor that runs on client devices.\n\n\n\n\n\n---\n\nObserved Impact\n\nRemote Code Execution (RCE)\n\nCredential Theft\n\nPersistence via Startup Scripts\n\nBackdoor Installation\n\nCommunication with C2 server:\napi.wordinfos[.]com\n\nInformation Disclosure\n\n\n\n---\n\nRecommended Mitigations\n\n1. Update Output Messenger to version 2.0.63 or later.\n\n\n2. Monitor outbound traffic for suspicious domains like api.wordinfos[.]com.\n\n\n3. Scan startup folders for files named OM*.vbs or OM*.exe.\n\n\n4. Audit server access logs for any unusual login activity.\n\n\n5. Apply network segmentation for critical servers.\n\n\n\n\n---\n\nWhy Iraq Was Targeted\n\nYou may wonder: what does Iraq have to do with this attack?\n\nThe answer is simple. The attack specifically targeted Kurdish individuals and entities in Iraq, likely including:\n\nMembers of the Kurdish military\n\nSecurity forces\n\nAdministrative organizations\n\n\nThis campaign was not random \u2014 it was part of a targeted cyber espionage operation aimed at Kurdish users of Output Messenger operating within Iraq.\n\n\n\nSource :\n\nhttps://thehackernews.com/2025/05/turkiye-hackers-exploited-output.html", "creation_timestamp": "2025-05-13T05:57:12.000000Z"}