Russian state-sponsored threat actor Turla has deployed a previously undocumented .NET backdoor called STOCKSTAY against Ukrainian government and military organizations since at least late 2022, according to a June 25 analysis published by Google Threat Intelligence Group (GTIG). The implant shares significant code with Turla’s long-running KAZUAR malware and has also been observed in operations targeting entities in Italy, the Netherlands, Poland, and Germany.

A New Tool in an Old Arsenal

STOCKSTAY does not represent a departure from Turla’s tradecraft; it represents its maturation. The group, also tracked as SUMMIT, Secret Blizzard, VENOMOUS BEAR, and UAC-0194, has refined this implant over three years of active development, adding obfuscation layers, modular components, and increasingly sophisticated lure themes as the conflict in Ukraine has evolved.

GTIG attributes STOCKSTAY to Turla with high confidence, citing code and functional overlaps with KAZUAR, shared command-and-control infrastructure, and confirmed co-deployment of both implants within compromised Ukrainian networks. Turla’s Snake implant has previously been publicly attributed by CISA to Center 16 of Russia’s Federal Security Service (FSB).

Advertisement

300 × 250

Inside STOCKSTAY: A Three-Component Architecture

STOCKSTAY operates as a modular system with three primary components that divide C2 traffic, orchestration, and execution into separate processes. Each communicates via Windows inter-process messaging (WM_COPYDATA), a technique that limits the behavioral footprint of any single component and distributes detection indicators across multiple processes.

STOCKSTAY.STOCKBROKER: The C2 Handler

This component handles all command-and-control communication via secure WebSocket connections (wss://) to attacker-controlled infrastructure. The proxy-aware design isolates network traffic from the main backdoor process, a tactic that complicates detection at the network monitoring layer. Confirmed C2 endpoints have been hosted on the Render and Glitch cloud platforms.

STOCKSTAY.STOCKMARKET: The Orchestrator

The orchestrator loads and decrypts configuration files, generates a unique 4096-bit RSA key pair per infection, and manages communications between components. Configuration files define C2 endpoints, active hours (typically weekdays between 09:00 and 18:00 local time), and operational parameters. The business-hours restriction, common in state-sponsored tooling, reduces the risk of triggering anomaly alerts during off-hours monitoring windows when fewer analysts are present.

STOCKSTAY.STOCKTRADER: The Backdoor

The backdoor supports a full range of post-access operations: file transfer (upload and download), registry manipulation, process execution, system reconnaissance via WMI, screenshot capture, and archive extraction. A fourth component, STOCKSTAY.MARKETMAKER, serves as the initial downloader and masquerades as Microsoft software to establish persistence via Windows registry run keys.

Attack Vectors and Targeting Patterns

GTIG’s analysis spans STOCKSTAY’s three-year operational history and documents multiple initial access techniques adapted to the conflict environment.

Weaponized Archives and WinRAR Exploitation

Early operations distributed ZIP payloads staged from compromised Ukrainian WordPress sites. A November 2025 phishing wave used RAR archives exploiting CVE-2025-8088, a WinRAR path traversal vulnerability, delivered via drone-related lures targeting Ukrainian military personnel. Organizations that have not patched WinRAR against CVE-2025-8088 remain exposed to this delivery mechanism.

RDP File Phishing

In 2025, phishing emails carrying malicious RDP file attachments targeted Ukrainian university affiliates and diplomatic education contacts. When opened, the files connected victims to actor-controlled infrastructure for staging and payload deployment without requiring further user interaction beyond opening the attachment.

MSI Installers via Public Cloud Platforms

Turla has hosted STOCKSTAY installers on GitHub repositories under names such as “DiplomacyEduAI.msi.” GTIG also identified a publicly accessible GitHub repository containing the Python WebSocket server controller that manages inbound connections from compromised victims, including logging of victim IP addresses. Using public cloud platforms for staging and C2 is a deliberate choice: these services blend into legitimate enterprise traffic and are rarely blocked by perimeter controls.

Newsletter

Get the week's best tech coverage.

Free. Read by thousands of HR, tech, and business leaders.

Code Overlaps with KAZUAR: Implications for Threat Intelligence Teams

The architectural and code-level overlaps between STOCKSTAY and KAZUAR carry implications beyond attribution. Both implants use the K1MORPHER obfuscation library, based on the Squirrel3 pseudo-random number generator, to encrypt strings and data arrays at compile time and deobfuscate them at runtime. Both use environmental keying, binding decryption to the target hostname and domain data to hamper sandbox and emulation analysis. Both follow the same three-tier operational architecture: a dedicated C2 communication handler, an orchestrator, and a command executor.

For threat intelligence teams that have previously detected or investigated KAZUAR implants, this shared fingerprint means existing detection rules and hunting logic have partial applicability to STOCKSTAY activity. GTIG’s analysis includes YARA rules, network indicators of compromise, and SHA-256 file hashes to support both retrospective threat hunting and prospective detection deployment.

What This Means for Security Leaders

STOCKSTAY is not an emerging capability in its early stages; it is a mature program that has operated below broad industry awareness for three years. The operational tempo, the consistent targeting of Ukrainian government and military organizations, and the deliberate use of legitimate cloud platforms for infrastructure indicate a well-resourced actor with a stable long-term collection mandate.

For CISOs at government, military, defense industrial base, foreign affairs, and international policy organizations in Europe and North America, the exposure question is not abstract. Turla’s targeting follows European geopolitical engagement with Ukraine. Organizations in Italy, the Netherlands, Poland, and Germany appear in early sample metadata. Any organization that interfaces with Ukrainian government counterparts or supports defense-adjacent policy should treat Turla as a plausible threat actor.

The use of legitimate platforms for C2 hosting (Render, Glitch, GitHub) makes traditional blocklist controls insufficient. Detection requires behavioral monitoring of WebSocket traffic anomalies, registry persistence patterns, and inter-process communication between .NET processes.

Defender Action Items

  • Alert on outbound WebSocket connections to unexpected Render (*.onrender.com) and Glitch (*.glitch.me) subdomains. STOCKSTAY C2 endpoints confirmed by GTIG include canal1zac1a.onrender.com, driverx86-adobe.onrender.com, and google-ai-labs-it.onrender.com.
  • Hunt for .NET executables consistent with STOCKSTAY component names: StockMarketView.exe, StockMarketNet.exe, StockMarketSystem.exe, and MicrosoftUpdateOneDrive.exe. SHA-256 hashes for all confirmed samples are published in the GTIG advisory.
  • Deploy the YARA detection rules released by GTIG covering the STOCKSTAY configuration file format, backdoor component behavior, and the K1MORPHER obfuscation library.
  • Ensure WinRAR is patched against CVE-2025-8088, which Turla weaponized in delivery chains targeting military and defense personnel in November 2025.
  • Review endpoint telemetry for registry run-key persistence entries attributed to “MicrosoftUpdateOneDrive” as a binary name or display name.
  • Consult the VirusTotal Intelligence collection published by GTIG for the complete set of file, network, and behavioral indicators.

Source: Google Threat Intelligence Group