Russia-Linked Turla Uses STOCKSTAY Backdoor in Ukraine Espionage Campaign
6 min. read 
Published on
Russia-linked Turla has added a .NET backdoor called STOCKSTAY to its espionage toolkit, with Ukraine government and military organizations among the main targets. The malware has been under active development since at least December 2022, according to the Google Threat Intelligence Group.
STOCKSTAY stands out because it does more than run commands on a compromised machine. It uses a multi-component design, communicates through WebSocket connections, and has been delivered through compromised infrastructure inside Ukraine to make malicious activity look less unusual on local networks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Turla is also tracked as SUMMIT, Secret Blizzard, VENOMOUS BEAR and UAC-0194. The group has a long record of targeting government, diplomatic and defense organizations, and Microsoft’s Secret Blizzard reporting has previously described its focus on Ukrainian military devices and long-term intelligence collection.
What STOCKSTAY Is Used For
STOCKSTAY is built for espionage. Once deployed, it can support file operations, command execution, registry changes, system surveys and screen capture. It also gathers details about the infected device, including operating system information, hardware data and running processes.
The malware originally pretended to be a stock market data tool. Later versions used names and themes linked to PDF viewers, calculators and education portals, which made the files more believable for targets in government, military and diplomatic environments.
GTIG’s STOCKSTAY analysis describes three main components working together. This split design makes each part responsible for a different stage of the infection chain.
| Component | Role | Why it matters |
|---|---|---|
| STOCKSTAY.STOCKBROKER | Handles WebSocket communication | Separates network traffic from other malware activity on the host |
| STOCKSTAY.STOCKMARKET | Orchestrates the implant | Loads encrypted configuration data and coordinates tasking |
| STOCKSTAY.STOCKTRADER | Runs backdoor commands | Supports file collection, registry changes, process execution and system checks |
How Turla Delivered the Backdoor
Turla’s delivery strategy relied heavily on trust. In one 2025 Ukraine operation, STOCKSTAY.MARKETMAKER downloaded the backdoor from a compromised website belonging to the State Regulatory Service of Ukraine. Other activity used compromised WordPress infrastructure and education-themed lures.
Attackers also used malicious Remote Desktop Protocol files in phishing emails. When a victim opened the RDP file, the machine connected to actor-controlled infrastructure, giving the operators a path to deploy STOCKSTAY.MARKETMAKER and then install the wider STOCKSTAY suite.
- Academic and diplomatic themes appeared repeatedly in lures and file names.
- Compromised Ukrainian infrastructure helped payload delivery blend into local traffic.
- Some STOCKSTAY configurations limited activity to weekday business hours.
- Later samples used stronger obfuscation and module names that looked like Windows libraries.
WinRAR Flaw Was Used in a Later Phishing Wave
In November 2025, GTIG observed phishing emails sent to about 20 Ukraine-based targets from a drone-themed UKR.NET account. The links led to malicious RAR archives that exploited CVE-2025-8088, a WinRAR path traversal flaw, to install core STOCKSTAY components.
Google’s separate WinRAR vulnerability analysis says CVE-2025-8088 was patched in July 2025 but continued to see use by state-backed and financially motivated actors. The flaw allows crafted archives to write files to arbitrary locations, including startup paths used for persistence.
The NVD entry lists the vulnerability as a high-severity issue affecting WinRAR on Windows before version 7.13. That matters because WinRAR does not protect organizations unless they update the software across all affected endpoints.
Why STOCKSTAY Looks Connected to KAZUAR
STOCKSTAY also resembles KAZUAR, another Turla malware ecosystem. Microsoft’s Kazuar research describes KAZUAR as a modular tool built for persistent and covert access to target environments.
The overlap is not limited to broad goals. STOCKSTAY and KAZUAR both use multi-component designs, encrypted configuration handling, environmental checks and compromised infrastructure. GTIG also found the K1MORPHER string obfuscation technique in both malware families during a similar time window.
This does not mean STOCKSTAY simply replaces KAZUAR. The better reading is that Turla appears to be building parallel toolsets, giving operators more ways to keep access if one implant gets detected, blocked or removed.
| Defender focus | Why it matters |
|---|---|
| Unexpected WebSocket traffic | STOCKSTAY uses WebSocket-based command-and-control channels |
| Suspicious RDP file activity | Turla used RDP files as a delivery path in Ukraine operations |
| Unusual startup entries | Archive-based exploitation can place payloads in persistence locations |
| Fake Windows-style DLL names | Newer samples carved functionality into modules with legitimate-looking names |
What Security Teams Should Do Now
Organizations that may face Russian state-backed espionage should review the indicators and YARA rules in the GTIG report, especially if they operate in Ukraine, support defense work, or handle diplomatic information. The most urgent checks involve suspicious RDP files, unexpected WebSocket traffic and executable files posing as Microsoft, PDF or calculator utilities.
Security teams should also confirm that WinRAR has been upgraded to a fixed release. Google’s CVE-2025-8088 research shows why patched vulnerabilities remain useful to attackers when organizations update slowly.
The broader lesson matches the pattern seen in the Kazuar anatomy report and Microsoft guidance on Secret Blizzard: Turla invests in persistence, redundancy and stealth. STOCKSTAY gives the group another quiet channel for intelligence gathering against Ukraine and related European targets.
FAQ
STOCKSTAY is a .NET backdoor linked to the Russia-associated Turla threat group. It is used for cyber espionage and can run commands, collect files, modify registry settings, survey infected systems and communicate with operators through WebSocket connections.
Google says STOCKSTAY has been used against government and military organizations in Ukraine, as well as entities connected to Italian foreign policy interests. Earlier samples and related activity were also observed in several European countries.
STOCKSTAY uses a component called STOCKSTAY.STOCKBROKER to create WebSocket-based communication with command-and-control infrastructure. This separates network communication from other malware activity and can make detection harder.
In November 2025, phishing emails led targets to malicious RAR archives that exploited CVE-2025-8088, a WinRAR path traversal flaw. The archives attempted to install STOCKSTAY components on affected Windows systems.
Organizations should review the official indicators of compromise, monitor unusual WebSocket and RDP activity, check for suspicious startup entries, update WinRAR to a fixed version and investigate executables pretending to be Microsoft, PDF or calculator utilities.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages