This threat centers on a zero-day vulnerability identified as CVE-2025-27920 in Output Messenger, an internal communication platform widely adopted by organizations for secure messaging. The Marbled Dust threat group, known for cyberspy operations, is actively exploiting this vulnerability primarily against Kurdish military users in Iraq. The attack leverages malicious binaries, notably omclientservice.exe and omserverservice.exe, to compromise both client and server components of the messaging platform. This compromise enables unauthorized access, persistent presence, espionage activities including data exfiltration, and command and control communications. The attackers demonstrate advanced capabilities, maintaining long-term access to targeted environments. No patch or official mitigation is currently available, increasing the risk for organizations using this software. Complementing this, a malicious NPM package employing sophisticated obfuscation techniques involving Unicode and Google Calendar APIs has been discovered, posing a significant supply chain risk to software development environments. This malware can infiltrate development pipelines, leading to infections, data theft, and lateral movement within networks. Indicators such as the suspicious domain api.wordinfos.com are linked to the attackers’ command and control infrastructure. While the exploitation is currently targeted and not widespread, the presence of this zero-day in a widely used platform presents a latent risk to other organizations globally, including European entities. The report also notes positive law enforcement actions disrupting botnets and ransomware groups, but emphasizes ongoing vigilance due to the evolving threat landscape.

For European organizations, the direct impact of this zero-day exploitation is currently limited as active exploitation targets Kurdish military users in Iraq. However, the presence of a zero-day vulnerability in a widely used communication platform like Output Messenger poses a latent risk to any European entity using this software or similar messaging solutions. Exploitation could lead to unauthorized access to sensitive communications, breaches of confidentiality, manipulation of message integrity, and disruption of communication availability. The espionage capabilities demonstrated by Marbled Dust suggest that similar tactics could be adapted against European military, governmental, or critical infrastructure targets, especially those with geopolitical interests in the Middle East or Kurdish regions. The malicious NPM package threat also presents a significant supply chain risk to European software development environments, potentially leading to malware infections, data theft, or lateral movement within networks, impacting software integrity and availability of development resources. Although botnet and ransomware disruptions are positive developments, ongoing threats remain, underscoring the need for vigilance in supply chain security, zero-day vulnerability monitoring, and defenses against targeted espionage campaigns.

1. Conduct an immediate inventory of all Output Messenger deployments within the organization to identify vulnerable components such as omclientservice.exe and omserverservice.exe. 2. Implement strict network segmentation and access controls around communication servers to limit lateral movement if compromise occurs. 3. Monitor network traffic for suspicious outbound connections, particularly to domains like api.wordinfos.com, which may indicate command and control activity. 4. Deploy advanced endpoint detection and response (EDR) solutions with behavioral analytics to detect multi-stage malware and obfuscated payloads, especially in development environments using NPM packages. 5. Enforce strict code signing and integrity verification for all third-party software dependencies, including NPM packages, to mitigate supply chain risks. 6. Increase user awareness and training focused on phishing and social engineering tactics that could deliver malware payloads. 7. Engage actively with threat intelligence sharing communities to receive timely updates on CVE-2025-27920 and Marbled Dust activities. 8. Prepare and regularly update incident response plans specifically addressing espionage and zero-day exploitation scenarios, including forensic readiness and communication protocols. 9. Consider migrating to alternative secure communication platforms with active patch management if Output Messenger cannot be secured promptly. 10. Regularly audit and harden DNS configurations to prevent DNS hijacking attempts linked to this threat.