CTI Roundup: Marbled Dust, Horabot, and TA406

In this week’s roundup, Tanium’s Cyber Threat Intelligence (CTI) team looks at a cyberthreat posed by an actor tracked as Marbled Dust. Next, our CTI team highlights a sophisticated phishing campaign that leverages the Horabot malware. Finally, the team investigates a recent shift in targeting behavior from North Korean state-sponsored threat actor TA406.

Marbled Dust exploits a zero-day vulnerability in Output Messenger

Microsoft recently shared details of a cyberthreat posed by a threat actor tracked as Marbled Dust.

According to Microsoft, the actor has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger application. So far, the exploitation has primarily targeted user accounts in Iraq for regional espionage.

What to know about Marbled Dust

Marbled Dust is a Turkey-affiliated espionage threat actor that is known to target organizations in Europe and the Middle East.

The group has employed tactics such as DNS hijacking and advanced malware, targeting governmental bodies, Kurdish political groups, telecommunications entities, ISPs, IT service providers, and media and entertainment organizations.

Recently, Marbled Dust has begun exploiting zero-day vulnerabilities to deliver malicious files and exfiltrate data from targeted accounts.

[Read also: How to identify, contain, and remediate zero-day risks and get back to your day job in 30 minutes]

What is Output Messenger’s zero-day vulnerability?

The Output Messenger Server Manager application contains a directory traversal vulnerability that allows an unauthenticated user to upload files to the startup directory.

As Microsoft notes, once the actor gains access to the server, they can “leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user, steal sensitive data, and impersonate users, which could lead to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.” The vulnerability affects versions before 2.0.63.

Microsoft identified the zero-day vulnerability and notified Srimax, the developer of Output Messenger, who subsequently issued a software update. Another vulnerability (CVE-2025-27921) was also identified and patched, though it has not been exploited.

How does Marbled Dust’s attack chain work?

• Accessing Output Messenger: The attack chain initiated by the Marbled Dust threat actor starts with gaining access to the Output Messenger Server Manager application as an authenticated user. Although the exact method of gaining authentication isn’t fully known, Microsoft believes that Marbled Dust likely uses DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials. These techniques have been observed in their previous malicious activities.
• Exploiting CVE-2025-27920: Once authenticated, Marbled Dust exploits the CVE-2025-27920 vulnerability. This vulnerability allows an authenticated user to drop malicious files into the server’s startup directory. The threat actor drops the malicious files “OM.vbs” and “OMServerService.vbs” into the Output Messenger server startup folder and drops OMServerService.exe into the server’s “Users/public/videos” directory.
• Calling OM.vbs: The attack proceeds with OMServerService.vbs calling “OM.vbs,” which is then passed to “OMServerService.exe” as an argument. “OM.vbs” was not available for analysis. However, “OMServerService.exe” was identified as a GoLang backdoor masquerading as a legitimate file. In some instances, Microsoft observed “OMServerService.exe” connecting to a hardcoded domain, “api.wordinfos[.]com,” for data exfiltration.
• Deploying an executable: On the client side, the installer will extract and execute the legitimate file and a malicious executable. The malicious executable is a backdoor that establishes a connection to a Command and Control (C2) server.
• Data exfiltration: In at least one observed case, a victim device with the Output Messenger client software was seen connecting to an IP address attributed to the actor, likely for the purpose of data exfiltration. Microsoft notes that these connections coincide with the threat actor issuing commands to collect files with varying file extensions into a RAR file on the desktop.

[Read also: What is data loss prevention? And why you need it]

Analyst comments from Tanium’s Cyber Threat Intelligence team

Microsoft points out how the use of a zero-day is a notable shift for Marbled Dust, indicating that the group is becoming more sophisticated.

While this attack primarily targets Iraq, the group has previously targeted entities in other countries, making their improved sophistication a bigger deal.

As always, Microsoft has included recommendations, detections, and hunting queries to help identify this threat.

Sophisticated phishing campaign uses Horabot malware

According to Fortinet, a sophisticated phishing campaign is now leveraging the Horabot malware.

The malware is known to use phishing emails that specifically impersonate invoices or financial documents. Horabot utilizes Outlook COM automation to send phishing messages, allowing it to move laterally.

What’s in the phishing email?

The attack starts with a phishing email that contains an attachment, both of which are written in Spanish.

The email pretends to come from a legitimate sender in Mexico and uses a subject line related to an attached invoice. The attachment, which claims to be a PDF invoice that needs to be opened, is actually a ZIP file containing a malicious HTML file.

The decoded data within the HTML file is also an HTML file that requires a remote URL to download the next payload, which is a ZIP file. This ZIP contains an HTA file with numerous unused strings and a tag of “moveTo(7426, 6245)” to reposition the browser window. It then loads a script to inject an external VBScript, which gets appended into the HTML element.

Understanding the role of VBScript

As Fortinet notes, the VBScript will implement a “custom string-decoded routine by processing every two characters, performing mathematical transformations, and reconstructing hidden strings, such as URLs, PowerShell commands, or other instructions.” The first main task of the script is environment detection and evasion, which includes antivirus checks, virtual machine checks, and specific machine evasion for devices named “JOHN-PC.”

The script will also ensure that the necessary folder to prevent reinfection exists, collect and exfiltrate basic victim information, prepare for AutoIt by downloading payloads, and prepare for PowerShell by creating a batch script. The script will establish persistence, deleting certain file types from the “%Startup%” and “%AppData%” folders and creating a new LNK file that points to hidden dropped files. Lastly, it will execute the created shortcuts.

What is the AutoIt script and banking trojan used for?

The AutoIt script, which is used for decryption, reveals a malicious DLL designed to collect information from the victim’s machine and send that data to the C2 server. The malware then steals browser-related data and exfiltrates it to the remote server. Horabot will also monitor victim behavior, injecting fake pop-up windows that are designed to steal credentials.

[Read also: What is access control in security? An in-depth guide to types and best practices]

How Horabot automates its email assault

A target script from the previous VBScript intends to execute additional scripts on the remote server. As Fortinet explains, these files “can achieve a full cycle of building a victim list, email automation, and efficient Horabot payload delivery.” The malware will terminate running instances of Outlook to make sure it can launch the program using a COM object. After creating an “Outlook.Application” object, it initializes an empty list to collect email addresses and defines a blocked domain list.

Another script will then build a list of email addresses, while a different script will save collected addresses and send them to an external server. Additional scripts will create and deliver an email containing fake invoices and then delete the related files. The malware also uses Outlook to send itself to more victims.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Horabot utilizes Outlook to blend in with normal behavior, which distinguishes it from other types of malware. This makes it more difficult to identify.

As always with phishing, user education is crucial, especially since this campaign employs common and traditional phishing lures.

TA406 shifts its targeting behavior

A recent blog from Proofpoint highlights a significant shift in the targeting behavior of TA406.

Proofpoint reports that TA406 is now using freemail senders that spoof legitimate individuals to trick the victim into interacting with the lure. The group has been delivering credential harvesting and various malware in its phishing campaigns since February 2025.

In February, TA406 also began targeting government entities in Ukraine to collect intelligence on Russia’s campaign.

How does TA406 malware delivery work?

TA406 has historically preferred to use HTML and CHM files to run embedded PowerShell and deploy malware. In February 2025, Proofpoint observed the actor impersonating a fake senior fellow associated with a fake think tank. The email included a link to the MEGA file hosting service, allowing users to download a password-protected file. The file is a RAR archive, which, after being decrypted and executed, will initiate the infection chain using PowerShell for reconnaissance. The group sent several phishing emails in a row for days after the intended victim did not interact with the original link.

[Read also: What is business email compromise (BEC)? The rising costs of BEC attacks]

The archive drops a CHM file that includes additional HTML files. The HTML files will display lure content to the intended victim. A PowerShell script within the HTML will execute if the victim clicks around within that page. This will download and run more PowerShell to gather information about the victim’s host.

The gathered information is then sent back to the attacker. To establish persistence, the threat actor then installs a batch file (installed as an autorun file), which launches at startup.

Is TA406 harvesting credentials?

Before the group launched its malware campaigns, Proofpoint observed the actor attempting to obtain credentials by sending fake Microsoft security alerts.

These phishing emails attempt to trick the victim into clicking on a link to verify their identity. Researchers have not yet been able to obtain the actual credential phishing page.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The latest TA406 activity underscores the group’s continued focus on geopolitical intelligence. Its pivot in targeting, from Russian government entities to Ukrainian government entities, could suggest a recalibration of North Korea’s intelligence priorities.

What’s interesting is the use of fake individuals from fake think tanks, as opposed to trying to spoof legitimate individuals.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.