A sophisticated cyber-espionage campaign has been identified, leveraging fake remote desktop protocol (RDP) files and a recently patched WinRAR vulnerability to infiltrate Ukrainian systems with a backdoor named STOCKSTAY. This malware, disguised as ordinary software like market tracking and calculator apps, operates stealthily to gather data from affected computers.
Modular Design Increases Resilience
STOCKSTAY is crafted using .NET and is composed of various components, each tasked with specific functions such as communication with command servers, file transfer, or executing commands. This modular architecture allows attackers to modify parts of the malware without needing to rebuild it entirely, complicating efforts to neutralize it.
Researchers at Picus Security have been monitoring this malicious activity as part of their investigation into the group responsible, known as Turla or Secret Blizzard. Linked to Russia’s Federal Security Service, Turla has been conducting espionage campaigns since 2004, establishing itself as one of the most persistent state-sponsored hacking entities.
Exploiting Vulnerabilities for Infiltration
Turla’s recent strategies focus on deceiving targets into opening malicious files instead of relying solely on technical exploits. In one instance, a compromised university email was used to distribute a dangerous RDP file masquerading as a distance learning trial, which surreptitiously connected to attacker-controlled servers.
Additionally, the group exploited a WinRAR path traversal vulnerability, designated as CVE-2025-8088, to inject STOCKSTAY into victims’ startup directories during archive extraction. This method ensures the backdoor reactivates with each system reboot.
Advanced Evasion Techniques
STOCKSTAY employs innovative evasion tactics by routing its traffic through legitimate cloud platforms, mimicking normal web activities. This approach makes it difficult for network defenders to detect malicious communication. Furthermore, the malware uses a technique akin to a dead drop, where both the infected machine and attackers check the same relay for instructions, avoiding direct contact.
The malware encrypts its configuration based on the victim’s hostname, adding another layer of complexity for analysts trying to decode it on separate systems. Security teams are advised to test their defenses against Turla’s known tactics and review unusual outbound connections to unrecognized cloud services.
Preventative Measures
Organizations are encouraged to educate their staff about the dangers of unsolicited RDP files and suspicious archive attachments. Keeping software like WinRAR updated is critical to closing potential exploit routes. Understanding and simulating these attack patterns can help identify security weaknesses before they are exploited.
Indicators of Compromise (IoCs) have been documented to assist in identifying infections, emphasizing the need for robust threat intelligence and proactive defense strategies. Integrating real-time threat feeds from security operations centers can significantly enhance an organization’s ability to prevent cyber incidents and financial losses.
