Turkish Hackers Exploit Zero-Day Vulnerability in Output Messenger to Deploy Golang Backdoors on Kurdish Servers
Published: May 13, 2025
In a notable instance of cyber espionage, a Türkiye-affiliated threat actor has successfully leveraged a zero-day vulnerability in Output Messenger, an enterprise communication platform from India. This breach, which has been part of a sustained attack campaign since April 2024, has raised alarms about the potential implications for national security and data integrity. According to a report from the Microsoft Threat Intelligence team, the exploitation has enabled the collection of sensitive user data from targets located in Iraq.
The primary targets of this sophisticated attack are linked to the Kurdish military, reflecting patterns observed in the activities of the hacking group known as Marbled Dust, also referred to as Cosmic Wolf and Sea Turtle, among other aliases. This group has been active since at least 2017, with documented instances of cyberattacks against both public and private entities across the Middle East and North Africa beginning in 2019. Earlier this year, the group was similarly noted for targeting sectors related to telecommunications and media, signaling a strategic focus on information-rich environments.
The zero-day vulnerability in Output Messenger provided an avenue for the deployment of Golang-based backdoors on compromised systems. Such backdoors enable persistent access and control, allowing the actors to navigate the network undetected while exfiltrating valuable intelligence. This tactic aligns with several MITRE ATT&CK adversary techniques, including initial access through exploitation of vulnerabilities, persistence via backdoor implants, and potentially privilege escalation to gather extensive data from affected systems.
As cyber threats continue to evolve, the tactics employed by groups like Marbled Dust underscore the necessity for organizations, especially those in sensitive sectors, to remain vigilant. The use of sophisticated malware and exploitation of known vulnerabilities highlight the critical importance of patch management and threat assessment. Organizations are advised to thoroughly review their cybersecurity protocols to ensure they are equipped to defend against such targeted operations.
In light of this incident, it is essential for business owners and security professionals to engage in proactive security measures, including regular updates to software, comprehensive incident response planning, and employee training on recognizing potential threats. This breach serves as a reminder that maintaining cybersecurity is not just a technical obligation but also a strategic necessity in today’s increasingly interconnected world.
The situation continues to develop, and stakeholders will need to monitor the implications of this attack closely. Understanding the motivations and methodologies of threat actors can provide valuable insights into preventive measures and response strategies, reinforcing the overarching goal of safeguarding vital information and infrastructure.
