Turla Unveils STOCKSTAY: A New Generation Backdoor Powering Advanced Espionage Campaigns

Google Threat Intelligence Group (GTIG) has revealed STOCKSTAY, a previously undocumented .NET-based backdoor developed by the Russian state-sponsored threat actor Turla. The malware has been actively deployed against Ukrainian government and military organizations, as well as entities involved in Italian foreign policy, highlighting Turla’s continued investment in long-term cyber espionage capabilities.

According to Google’s analysis, STOCKSTAY shares significant architectural and functional similarities with Kazuar, Turla’s long-standing malware framework first observed in 2017. Researchers believe the new implant has been under development since late 2022 and is gradually becoming an evolution of Turla’s established toolkit rather than a completely separate platform.

Phase 1. Initial Access Through Multiple Delivery Techniques

Turla continues to rely on carefully crafted phishing campaigns tailored to diplomatic, military, and government personnel. Victims receive emails containing academic or foreign policy-themed lures designed to appear legitimate and encourage interaction.

The threat actor employs multiple delivery mechanisms depending on the target, including:

• Malicious Remote Desktop Protocol (RDP) configuration files.

• Weaponized WinRAR archives exploiting CVE-2025-8088.

• MSI installers hosted on legitimate platforms such as GitHub.

• HTML Application (HTA) scripts embedded inside compressed archives.

• Payloads retrieved from compromised WordPress websites.

Google also observed STOCKSTAY being deployed after attackers had already gained access to victim environments, indicating that the malware is flexible enough to support both initial compromise and post-exploitation operations.

Phase 2. Modular Malware Deployment

Rather than operating as a single executable, STOCKSTAY consists of several independent modules that work together to provide persistence, communication, and operational capabilities.

The infection begins with STOCKSTAY.MARKETMAKER, whose sole purpose is to download and install the remaining components:

• STOCKSTAY.STOCKBROKER, responsible for establishing secure WebSocket communications with the command-and-control infrastructure.

• STOCKSTAY.STOCKTRADER, the primary backdoor responsible for executing commands and collecting intelligence.

• STOCKSTAY.STOCKMARKET, which acts as the orchestrator, managing configuration, execution schedules, communication parameters, and coordination between all modules.

The components communicate internally using WM_COPYDATA-based Inter-Process Communication (IPC) while maintaining encrypted external communications through WebSockets using the open-source websocket-sharp library.

This modular architecture improves resilience and allows Turla to replace or update individual components without rebuilding the entire malware platform.

Phase 3. Persistence and Command & Control

Once installed, STOCKSTAY establishes an encrypted communication channel with its command-and-control (C2) server.

The malware supports an extensive command set that enables operators to:

• Execute arbitrary commands and processes.

• Collect detailed system information.

• Browse, upload, download, and delete files.

• Create or remove directories.

• Read, modify, or delete Windows Registry keys.

• Capture screenshots of the infected system.

• Extract ZIP archives.

• Execute multiple tasks simultaneously.

• Deploy additional payloads when required.

Google also discovered a publicly accessible GitHub repository containing a Python implementation of the victim-facing WebSocket controller used during testing or infrastructure development.

Unlike traditional malware infrastructure, the server is unable to decrypt inbound communications, making it significantly more difficult for defenders to inspect attacker traffic or identify operational infrastructure.

Phase 4. Espionage and Long-Term Operations

One of the most significant findings is the way Turla integrates STOCKSTAY into different phases of its operations.

Early deployments focused on collecting intelligence from previously unknown environments. However, Google also observed STOCKSTAY being introduced late in intrusions where Turla had already performed extensive reconnaissance using existing implants such as Kazuar.

This suggests the group is gradually validating and operationalizing STOCKSTAY inside live operations before eventually replacing older tooling.

Researchers believe this strategy minimizes operational risk while allowing Turla to continuously improve the malware under real-world conditions.

The campaign primarily targets:

• Government ministries.

• Military organizations.

• Diplomatic institutions.

• Foreign policy organizations.

• Strategic government agencies across Europe.

  
  

Defense Measures

Organizations should strengthen both preventive and detective controls to reduce exposure against sophisticated state-sponsored campaigns.

Recommended measures include:

• Immediately patch WinRAR and other software vulnerable to known exploits.

• Block or closely inspect RDP files, MSI installers, HTA files, and compressed archives received via email.

• Monitor outbound WebSocket communications for unusual encrypted traffic.

• Detect suspicious .NET processes and unauthorized Registry modifications.

• Monitor PowerShell and Windows process creation for anomalous execution chains.

• Deploy advanced email filtering and phishing-resistant multi-factor authentication (MFA).

• Implement Endpoint Detection and Response (EDR) capable of identifying lateral movement and persistence techniques.

• Conduct proactive threat hunting for Turla indicators of compromise and suspicious communications with compromised WordPress infrastructure

Conclusions

STOCKSTAY represents a significant evolution in Turla’s cyber espionage capabilities. Its modular design, encrypted communications, flexible deployment methods, and strong architectural similarities with Kazuar demonstrate a mature malware ecosystem built for long-term intelligence collection.

Rather than introducing entirely new concepts, Turla has refined years of operational experience into a more scalable and maintainable framework capable of supporting complex espionage campaigns against high-value government and military targets.

The discovery also illustrates an important trend among advanced persistent threat (APT) groups: continuously modernizing established malware families while maintaining operational familiarity. For defenders, identifying these incremental evolutions is becoming just as important as detecting entirely new malware families.

As geopolitical tensions continue to drive state-sponsored cyber operations, organizations responsible for government, defense, diplomacy, and critical infrastructure should expect increasingly modular, stealthy, and adaptive malware designed to remain undetected for extended periods while quietly collecting strategic intelligence.

https://www.linkedin.com/posts/thehackernews_ukraine-winrar-activity-7476173428123648001-kRb5?utm_source=share&utm_medium=member_ios&rcm=ACoAAB-8ufEBtieIuWd6yiY6Y17y5Ue9grOW2Nw