OMServerService.exe
OMServerService.exe is a Go-based backdoor masquerading as a legitimate file of the same name in Output Messenger environments. It was deployed by the Türkiye-linked cyberespionage actor Marbled Dust, also tracked as Sea Turtle, SILICON, UNC1326, Teal Kurma, and Cosmic Wolf, during exploitation of the Output Messenger directory traversal vulnerability CVE-2025-27920 affecting versions prior to 2.0.63 / version 2.0.62. In the reported campaign targeting users associated with the Kurdish military in Iraq, the actor likely obtained credentials via DNS hijacking or typosquatted domains, accessed the Output Messenger Server Manager as an authenticated user, and uploaded malicious files including OM.vbs, OMServerService.vbs, and OMServerService.exe. The malware was placed in the server Users/public/videos directory, while the VBS files were dropped into the startup folder to invoke the payload. OMServerService.exe performed connectivity checks to the hardcoded attacker-controlled domain api.wordinfos[.]com, sent victim or host identification information, and in some cases was observed using that domain for data exfiltration. The broader server compromise enabled theft of sensitive data, access to user communications, impersonation, and operational disruption. A related client-side backdoor, OMClientService.exe, was also used in the same campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Türkiye-based cyberespionage group Marbled Dust (aka Sea Turtle, UNC1326, and Silicon) is exploiting a zero-day vulnerability in Output Messenger to target users associated with the Kurdish military in Iraq. The vulnerability (CVE-2025-27920) is a directory traversal flaw in version 2.0.62 of Output Messenger that allows authenticated users to access or execute arbitrary files outside intended directories.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"OMServerService.exe is a backdoor written in Go and cleverly disguised as the legitimate file with the same name. In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration"
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Golang-based backdoor deployed post-exploitation of Output Messenger, used for C2 communications, data exfiltration, and executing further commands.
Go-based backdoor masquerading as a legitimate Output Messenger component (same filename). Deployed to the Output Messenger server startup folder via exploitation of CVE-2025-27920 and used for command execution and data exfiltration (observed beaconing to api.wordinfos[.]com).
A Go-based backdoor deployed on Output Messenger servers after exploitation/authentication, used to maintain access and support data theft/exfiltration.
A Golang backdoor deployed on the Output Messenger server. It contacts a hard-coded domain (api.wordinfos[.]com) and is used for command-and-control and data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.