Russia-affiliated Advanced Persistent Threat (APT) group Turla has launched a new espionage campaign targeting Ukrainian government and military sectors. According to a report by Google’s Threat Intelligence Group (GTIG), this campaign involves a sophisticated backdoor named StockStay, crafted specifically for intelligence gathering.
Background on Turla’s Operations
Turla, also recognized under various aliases such as Krypton and Venomous Bear, has been operational since 2004. The group was officially associated with Russia’s Federal Security Service (FSB) in 2023. The development of the StockStay backdoor, which is tracked back to 2022, marks a significant escalation in their cyber activities against Ukraine and entities interested in Italian foreign policy.
This .NET-based backdoor is an evolution of previous Turla tools, sharing similarities with Kazuar, a known implant dating back to 2015. Initially disguised as a stock market tool, its current forms include PDF viewers and calculator applications, reflecting its adaptive nature.
Technical Breakdown of StockStay
StockStay is a multi-component malware leveraging a secure WebSocket connection for its command-and-control operations, utilizing the websocket-sharp library. Its architecture includes several components such as StockStay.MarketMaker for payload delivery, StockStay.StockBroker for network tunneling, and StockStay.StockTrader for executing various commands. These components enable extensive capabilities like file manipulation, screen capture, and system information gathering.
The malware’s configurability is managed through StockStay.StockMarket, with settings stored in an encrypted configuration file. GTIG reports that most of StockStay’s activities have been concentrated on Ukrainian entities, reflecting the strategic interests of its operators in the region.
Espionage Tactics and Global Reach
Beyond Ukraine, StockStay’s reach extended to European nations including Italy, the Netherlands, Poland, and Germany. The group has employed phishing tactics using themes of academia and diplomacy, leveraging compromised email accounts from educational platforms to distribute malicious RDP configuration files.
Such methods indicate a refined approach to social engineering, aiming to exploit the trust within educational and diplomatic sectors. GTIG noted that Turla deployed StockStay at various stages of its campaigns, from initial access to deeper infiltration.
In a notable incident in November 2025, Turla targeted 20 Ukrainian entities using a phishing campaign that exploited a known vulnerability (CVE-2025-8088) to execute StockStay. This attack highlights ongoing efforts by Russian APTs to exploit software vulnerabilities for cyber espionage.
Implications and Future Outlook
The continuous evolution of Turla’s tactics underscores the persistent cyber threat posed by Russian APTs. These developments call for heightened vigilance and robust cybersecurity measures, particularly for government and military organizations. As geopolitical tensions remain high, the role of cyber warfare in international conflicts is likely to expand, necessitating coordinated defensive strategies.
