STOCKSTAY Backdoor Campaign Uses Malicious RDP Files and WinRAR Exploit to Target Ukraine
A cyber-espionage campaign linked to Turla is using malicious Remote Desktop Protocol files and an older patched WinRAR flaw to deploy a .NET backdoor called STOCKSTAY against Ukrainian targets.
The campaign was detailed by Google Threat Intelligence Group, which said STOCKSTAY has been developed and used by Turla since at least December 2022. The malware has targeted Ukrainian government and military organizations, along with entities connected to Italian foreign policy.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Attackers disguise STOCKSTAY as ordinary software, including stock market viewers, PDF tools, and calculator apps. The goal is quiet access, long-term intelligence collection, and command execution without drawing attention to a custom espionage tool.
How the STOCKSTAY campaign reaches victims
Turla has used malicious RDP configuration files and booby-trapped archives as delivery paths. In one case, a compromised university email account sent a fake distance learning lure that carried a malicious RDP file.
When opened, the RDP file connects the victimโs machine to attacker-controlled infrastructure. That connection can then support additional payload delivery without requiring the victim to run a clearly suspicious executable.
The campaign also abuses CVE-2025-8088, a WinRAR path traversal vulnerability. The flaw allows specially crafted archives to write files outside the folder selected by the user, which makes it useful for dropping malware into Windows startup locations.
| Attack element | How it works | Security impact |
|---|---|---|
| Malicious RDP file | Victim opens a fake remote desktop configuration | Creates an outbound connection to attacker infrastructure |
| WinRAR exploit | Archive extraction writes files outside the expected folder | Drops persistence files into startup paths |
| Disguised apps | Backdoor components look like stock or calculator tools | Reduces user suspicion |
| Cloud-based relay | Traffic uses legitimate hosting platforms | Blends command traffic with normal web activity |
WinRAR flaw remains useful long after the patch
CVE-2025-8088 was fixed in WinRAR 7.13. The official WinRAR 7.13 release notes describe it as a directory traversal vulnerability affecting Windows versions of WinRAR, UnRAR, and related components.
The same release notes said specially crafted archives could bypass the user-selected extraction path and write files to unintended locations on the file system. That behavior explains why attackers use the flaw to place shortcuts and malware components in startup folders.
Googleโs WinRAR exploitation report later warned that several government-backed and financially motivated threat actors continued exploiting CVE-2025-8088 after the patch shipped. The report linked exploitation to Russian and Chinese threat activity, including campaigns against Ukraine.
- Update WinRAR to 7.13 or later if older versions remain installed.
- Audit endpoints for old WinRAR, UnRAR, and related extraction components.
- Block unexpected RAR archives from untrusted senders when possible.
- Monitor for new shortcuts or executables written to Windows startup folders.
- Train users to treat unexpected RDP files as high-risk attachments.
STOCKSTAY is modular and built for long-term espionage
STOCKSTAY is written in .NET and uses several components rather than one large executable. That modular design lets the operators update parts of the malware, change communication logic, or swap functions without rebuilding the whole tool.
Google said the backdoor has similarities to Kazuar, another Turla-linked malware family. STOCKSTAY can support command execution, file movement, communication with operators, and information collection from infected systems.
Picus Security described STOCKSTAY and Kazuar as part of Turlaโs custom malware toolkit for long-term intelligence collection. It also noted that Turla routes traffic through legitimate services to make command-and-control activity harder to identify.
| Component behavior | What it gives attackers |
|---|---|
| Disguised executable names | Helps malware look like normal software |
| Multiple .NET modules | Allows separate control over communication, file handling, and commands |
| Startup shortcut persistence | Restarts the backdoor after reboot or sign-in |
| Cloud relay infrastructure | Hides malicious traffic among normal web services |
| Host-based configuration encryption | Makes captured samples harder to analyze away from the victim system |
Malicious archives place STOCKSTAY in startup folders
One delivery method uses a RAR archive disguised as a military pay calculator. When extracted with a vulnerable WinRAR version, the archive can write STOCKSTAY files and shortcut files outside the expected extraction directory.
The NVD entry for CVE-2025-8088 confirms that the flaw affects the Windows version of WinRAR and allows attackers to execute arbitrary code through crafted archives. It also notes that the vulnerability was exploited in the wild.
In the STOCKSTAY campaign, shortcuts with names such as MSViewer.lnk, MSDriver.lnk, and MSRender.lnk help launch different malware components after startup. This gives the attackers persistence without requiring the user to open the archive again.
Command traffic hides behind trusted services
STOCKSTAY avoids simple network detection by using legitimate cloud and hosting platforms as part of its communication path. Instead of contacting one obvious attacker-controlled server directly, the malware can use relay-style infrastructure.
This resembles a dead-drop method. The infected machine and the operator check the same relay location for messages, which makes the traffic look less like a traditional command-and-control session.
Picus Security said Turla has used legitimate services such as Cloudflare Workers and GitHub to conceal command-and-control traffic. That approach forces defenders to inspect behavior, destination patterns, and context rather than blocking every connection to popular cloud platforms.
- Watch for WebSocket traffic to unfamiliar hosting services.
- Review cloud-hosted endpoints contacted by sensitive government or defense systems.
- Alert on unusual use of Glitch, Render, GitHub, or similar platforms from restricted networks.
- Correlate suspicious cloud traffic with new startup files or shortcut creation.
- Preserve network logs before removing malware, since local artifacts may be limited.
Turla remains focused on intelligence collection
Turla, also tracked as Secret Blizzard, Snake, Venomous Bear, SUMMIT, and UAC-0194, has operated for many years as a Russia-linked espionage group. Public reporting has tied the group to government, military, diplomatic, and defense targets.
The MITRE ATT&CK Turla profile tracks the group as a Russia-based threat actor active since at least the early 2000s. MITRE also lists multiple malware families and techniques associated with Turlaโs long-running operations.
STOCKSTAY fits that pattern. It favors stealth, modularity, durable access, and quiet data collection instead of loud disruption. The backdoorโs disguises and cloud-based communication make it suitable for long-term collection operations against sensitive targets.
What defenders should check now
Organizations in Ukraine, government agencies, defense contractors, universities, and policy-focused institutions should review recent RDP attachments, archive files, and startup folder changes. The risk is higher where outdated WinRAR versions remain installed.
Security teams should also review the Google WinRAR exploitation research because it explains why patched n-day flaws remain useful when organizations fail to update unmanaged software. This is especially important for archive tools that users install manually and forget.
The MITRE Turla profile can help defenders map observed activity to known tactics, techniques, and procedures. That mapping can support better detection engineering and threat-hunting coverage.
- Update WinRAR, UnRAR, and related components to secure versions on all Windows endpoints.
- Search Windows startup folders for suspicious LNK files such as MSViewer.lnk, MSDriver.lnk, and MSRender.lnk.
- Block or quarantine unexpected RDP files from email attachments and shared drives.
- Review outbound WebSocket traffic to unfamiliar cloud-hosted domains.
- Hunt for STOCKSTAY-related filenames, including stock, PDF, calculator, or system-library disguises.
- Check whether sensitive hosts contacted unusual serverless or browser app platforms.
- Preserve RDP, PowerShell, process creation, DNS, and proxy logs for incident response.
Bottom line
STOCKSTAY shows how a long-running espionage group can combine simple lures with durable malware and trusted infrastructure. A malicious RDP file or a crafted archive can be enough to open the door when users trust the file and systems remain unpatched.
The strongest defenses are practical: patch WinRAR, restrict RDP attachments, monitor startup folder changes, inspect unusual cloud-hosted traffic, and test detections against known Turla behaviors. Signature checks alone may miss a campaign designed to look like normal software and normal web traffic.
FAQ
STOCKSTAY is a modular .NET backdoor linked to Turla, also known as Secret Blizzard. It is used for cyber espionage, command execution, file handling, and long-term intelligence collection on infected systems.
The campaign uses malicious RDP files and crafted RAR archives to reach victims. Google said Turla used STOCKSTAY against Ukrainian government and military organizations, with lures designed to look like legitimate tools or documents.
CVE-2025-8088 is a WinRAR path traversal vulnerability that allows crafted archives to write files outside the user-selected extraction folder. Attackers can abuse it to place malware or shortcuts in Windows startup locations.
Organizations should update WinRAR, block unexpected RDP files, inspect startup folders for suspicious shortcuts, monitor unusual WebSocket traffic to cloud-hosted services, and review endpoints for STOCKSTAY-related files or disguises.
STOCKSTAY disguises itself as common software and can route communication through legitimate cloud services. It also uses modular components and host-based configuration handling, which makes simple signature-based detection less reliable.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages