The threat centers on CVE-2025-27920, a zero-day vulnerability in Output Messenger, an internal communication platform widely adopted by organizations for secure messaging. The Marbled Dust threat group, known for cyberspy operations, is actively exploiting this vulnerability primarily against Kurdish military users in Iraq. The attack leverages malicious binaries, specifically omclientservice.exe and omserverservice.exe, to compromise both client and server components of the messaging platform. This compromise enables unauthorized access, persistent presence, espionage activities including data exfiltration, and command and control communications. The attackers maintain long-term access to targeted environments, demonstrating advanced capabilities. Currently, no patch or official mitigation is available, increasing risk for organizations using this software. Complementing this, a malicious obfuscated NPM package employing sophisticated obfuscation techniques involving Unicode and Google Calendar APIs has been discovered, posing a significant supply chain risk to software development environments. This malware can infiltrate development pipelines, leading to infections, data theft, and lateral movement within networks. Indicators such as the suspicious domain api.wordinfos.com are linked to the attackers’ command and control infrastructure. Although exploitation is currently targeted and not widespread, the presence of this zero-day in a widely used platform presents a latent risk to other organizations globally, including European entities. The report also notes positive law enforcement actions disrupting botnets and ransomware groups, but emphasizes ongoing vigilance due to the evolving threat landscape.

The exploitation of CVE-2025-27920 allows attackers to gain unauthorized access to sensitive internal communications, compromising confidentiality, integrity, and availability of messaging services. Persistent presence enables long-term espionage, data exfiltration, and potential manipulation of communication content. Organizations using Output Messenger, especially those in military, governmental, or critical infrastructure sectors, face risks of targeted cyber espionage and operational disruption. The malicious NPM package threat extends risk to software development environments, potentially compromising software integrity, enabling lateral movement, and leading to data theft or further malware deployment. Although current exploitation is targeted at Kurdish military users in Iraq, the vulnerability's presence in a widely used platform poses a latent global risk, particularly for European organizations with geopolitical interests in the Middle East. The lack of a patch increases exposure duration, while the attackers’ use of obfuscated binaries and command and control infrastructure complicates detection and response efforts. Positive law enforcement actions provide some relief but do not eliminate ongoing risks.

1. Conduct a comprehensive inventory of all Output Messenger deployments to identify vulnerable client and server components such as omclientservice.exe and omserverservice.exe. 2. Implement strict network segmentation and access controls around communication servers to limit lateral movement in case of compromise. 3. Monitor network traffic for suspicious outbound connections, especially to domains like api.wordinfos.com, indicative of command and control activity. 4. Deploy advanced endpoint detection and response (EDR) solutions with behavioral analytics capable of detecting multi-stage malware and obfuscated payloads, particularly in development environments using NPM packages. 5. Enforce strict code signing, integrity verification, and whitelisting for all third-party software dependencies, including NPM packages, to mitigate supply chain risks. 6. Increase user awareness and training focused on phishing and social engineering tactics that could deliver malware payloads. 7. Engage actively with threat intelligence sharing communities to receive timely updates on CVE-2025-27920 and Marbled Dust activities. 8. Prepare and regularly update incident response plans specifically addressing espionage and zero-day exploitation scenarios, including forensic readiness and communication protocols. 9. Consider migrating to alternative secure communication platforms with active patch management if Output Messenger cannot be secured promptly. 10. Regularly audit and harden DNS configurations to prevent DNS hijacking attempts linked to this threat.