The Russian-backed hacker group Turla has introduced a new cyber tool known as STOCKSTAY, a previously unidentified .NET backdoor aimed at governmental and military targets in Ukraine. This cyber weapon is also believed to be targeting entities with interests in Italian foreign policy.
Development and Characteristics of STOCKSTAY
According to Google’s Threat Intelligence Group (GTIG), STOCKSTAY shares substantial code similarities with Kazuar, a well-known implant used by Turla since 2017. This malware appears to have been in development since December 2022. It is a multi-component backdoor written in .NET, using Windows Forms, and communicates with its command-and-control (C2) server through a secure WebSocket connection, leveraging the open-source websocket-sharp library.
STOCKSTAY is structured into several components that interact via inter-process communication (IPC) based on WM_COPYDATA messages. Initially designed to mimic a stock market data tool, it has evolved to disguise itself as innocuous applications like PDF readers and calculators.
Functionality and Modules of STOCKSTAY
The STOCKSTAY malware suite begins with the STOCKSTAY.MARKETMAKER downloader, which installs additional modules: STOCKSTAY.STOCKBROKER, STOCKSTAY.STOCKTRADER, and STOCKSTAY.STOCKMARKET. STOCKSTAY.STOCKBROKER acts as a proxy-aware tunneler, establishing secure WebSocket connections for the suite, while STOCKSTAY.STOCKTRADER gathers information and executes commands on compromised devices.
The STOCKSTAY.STOCKMARKET orchestrator manages configuration settings like the WebSocket server details and operational timeframes, interacting with both STOCKSTAY.STOCKBROKER and STOCKSTAY.STOCKTRADER to facilitate malware execution.
Distribution and Impact of STOCKSTAY
STOCKSTAY uses various strategies for distribution, including phishing emails with malicious attachments that exploit vulnerabilities like CVE-2025-8088. The malware has been delivered through RAR archives, MSI installers, and GitHub-hosted scripts, often targeting government and military organizations with academic or diplomatic themes.
GTIG noted a GitHub repository containing a Python implementation of the STOCKSTAY WebSocket controller, complicating efforts to trace the threat actor’s infrastructure. GTIG also observed significant similarities between STOCKSTAY and Turla’s Kazuar infrastructure, suggesting they might share developers or development philosophies.
In late 2025, Turla’s campaigns were observed in Ukraine, exploiting compromised WordPress sites to host STOCKSTAY components. The malware has been used in different operational stages, from initial access to post-exploitation, indicating a targeted approach.
Conclusion and Future Outlook
These operations underscore Turla’s sophistication and adaptability in cyber espionage. The parallels between STOCKSTAY and Kazuar suggest an evolution in Turla’s toolkit, possibly aiming to integrate new capabilities as existing access routes are anticipated to be neutralized. Continued vigilance is essential to mitigate the risks posed by such advanced threats.
