OMClientService.exe
OMClientService.exe is a Golang backdoor used by the Türkiye-affiliated espionage group Marbled Dust, also tracked as Sea Turtle, UNC1326, Silicon, Cosmic Wolf, and Teal Kurma. It was deployed in a campaign targeting users associated with the Kurdish military in Iraq through exploitation of Output Messenger vulnerability CVE-2025-27920, a directory traversal flaw affecting Output Messenger v2.0.62. Microsoft reported the activity began in April 2024.
On compromised Windows client systems, an installer extracted and executed both the legitimate OutputMessenger.exe and OMClientService.exe. The malware is described as a second Go-based backdoor used on client devices, while a related server-side backdoor, OMServerService.exe, was deployed on Output Messenger servers. Microsoft assessed Marbled Dust likely first obtained authenticated access to the Output Messenger Server Manager interface, potentially via DNS hijacking or typosquatted domains used to intercept credentials, and then leveraged the vulnerability to deploy payloads.
OMClientService.exe connected to a Marbled Dust command-and-control domain and, in at least one observed case, to an IP address previously linked to the group. Reported behavior included command execution and collection of files into a RAR archive on the desktop, consistent with data exfiltration objectives. The broader campaign enabled access to communications, user impersonation, operational disruption, and theft of user data from targets in Iraq. High-confidence associated indicators and artifacts mentioned in the reporting include the malware name OMClientService.exe, its use alongside OutputMessenger.exe on client devices, and its association with Marbled Dust’s Output Messenger exploitation activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Türkiye-based cyberespionage group Marbled Dust (aka Sea Turtle, UNC1326, and Silicon) is exploiting a zero-day vulnerability in Output Messenger to target users associated with the Kurdish military in Iraq. The vulnerability (CVE-2025-27920) is a directory traversal flaw in version 2.0.62 of Output Messenger that allows authenticated users to access or execute arbitrary files outside intended directories.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"the installer extracts and executes both the legitimate OutputMessenger.exe and another backdoor written in Go, OMClientService.exe. The latter connects to a Marbled Dust command-and-control (C2) domain"
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Secondary backdoor used on client devices in the same Output Messenger intrusion activity attributed to Marbled Dust.
Go-based client-side backdoor dropped alongside the legitimate Output Messenger client. Connects to Marbled Dust C2 infrastructure and was observed supporting collection/staging of files (commands to gather files with various extensions into a RAR archive) consistent with exfiltration activity.
A Golang backdoor deployed on victim client systems. It checks connectivity to api.wordinfos[.]com, sends host identification, and executes server-supplied commands via 'cmd /c'.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.