A Turkish state-aligned hacking group exploited a previously unknown software flaw to infiltrate communications linked to Kurdish security forces in Iraq, Microsoft said on Monday, in what it calls a sophisticated and alarming cyber-espionage campaign.
The group, labeled by Microsoft as “Marbled Dust,” targeted the messaging app Output Messenger, commonly used by organizations for internal communication, file sharing and collaboration. Microsoft said the group used a “zero-day” vulnerability — an undisclosed security hole that the software’s developer was unaware of — making it especially dangerous.
The tech company said the attacks began in April 2024 and continued until recent months, affecting targets tied to the “Kurdish military” in Iraq. Peshmerga, the internal security forces of the autonomous Kurdistan region in Iraq, is not a military force but has some military capabilities and is conventionally referred to as such.
Microsoft said it assesses with “high confidence” the operation was focused on surveillance of Kurdish entities, in line with the group’s past priorities.
Marbled Dust is part of a naming system Microsoft uses to classify threat actors. Groups linked to Turkish state interests are given the codename “Dust.” “Marbled Dust” refers to a specific actor in that category. Similar systems exist for other states: China-linked actors, for example, are called “Typhoon.”
Zero-day exploits are considered particularly serious because they allow attackers to break into systems before software makers even know there is a flaw, leaving targets defenseless. Microsoft only became aware of the Output Messenger vulnerability after Marbled Dust had already begun using it.
Upon discovery, Microsoft alerted Srimax, the Indian developer of Output Messenger, which quickly released a fix. Microsoft emphasized the urgency of installing the latest version of the software to avoid continued exposure.
The warning comes at a delicate political moment. On Monday the Kurdistan Workers’ Party (PKK), designated a terrorist organization by Turkey and its Western allies, announced it would disband and called for peaceful resolution to decades of conflict. While the PKK and the Kurdish forces in Iraq are distinct, they are often perceived in Turkish security circles as part of a broader Kurdish nationalist network.
This perception is further complicated by a recent Kurdish unity conference held in northeastern Syria, which included actors affiliated with the PKK, the Syrian Democratic Forces (SDF) and the Kurdistan Regional Government in Iraq. The convergence of these groups — despite political and operational differences — has likely heightened Ankara’s desire to monitor Kurdish military activity across borders.
While the Iraqi Kurdish military has largely cooperated with Turkey in recent years, particularly in operations against PKK militants, Microsoft’s report suggests that even allied Kurdish entities are viewed as potential intelligence targets by Turkish cyber units.
Marbled Dust has previously been linked to attacks against governments, telecom providers and IT systems in Europe and the Middle East. Its known tactics include hijacking internet traffic and stealing login credentials by tampering with domain systems or mimicking legitimate websites.
In this case Marbled Dust used its access to install spying tools that allowed it to monitor communications, impersonate users and extract files — essentially gaining control over the messaging platform’s internal environment.
Microsoft said the campaign shows a “notable shift” in Marbled Dust’s capabilities, suggesting the group has grown more technically advanced and potentially more urgent in its objectives.
The tech giant called the campaign a wake-up call about the growing reach of state-backed cyber-espionage and the risks posed to organizations using less well-known or unpatched communication software.
Microsoft published detection tools and mitigation advice for organizations that may have been affected. It also urged all Output Messenger users to upgrade immediately to prevent further exploitation.