Google’s Threat Intelligence Group (GTIG) has uncovered a new malware called STOCKSTAY, which has been linked to the Russian state-backed hacking group Turla. The backdoor has been used in cyber espionage campaigns targeting government and military organizations in Ukraine. Researchers also found that some organizations connected to Italian foreign policy were targeted during these operations. The malware has reportedly been under development since at least December 2022.
According to Google, STOCKSTAY is a multi-component Windows backdoor built using the .NET framework. It communicates with its command-and-control servers through encrypted WebSocket connections, making its traffic harder to detect. The malware is designed with several separate modules that exchange data through Windows inter-process communication. This modular structure allows attackers to update or expand its capabilities without replacing the entire malware.
Google’s analysis found that STOCKSTAY shares significant code and functionality with Kazuar, another well-known Turla backdoor that has been active for several years. Researchers believe this similarity shows that Turla continues to improve its existing cyber espionage toolkit instead of creating completely new malware families. The continued evolution of STOCKSTAY highlights the group’s focus on maintaining long-term intelligence-gathering operations.
Researchers discovered that the malware was originally disguised as a stock market application, which is how it received the name STOCKSTAY. Over time, the attackers changed their approach and made the malware appear as harmless software such as PDF viewers and calculator programs. These fake applications help reduce suspicion and increase the chances of victims unknowingly launching the malware. This tactic improves the attackers’ ability to remain hidden inside compromised systems.
The infection begins with a downloader component called STOCKSTAY.MARKETMAKER, which installs the remaining malware modules onto the victim’s computer. Once active, the malware can collect system information, capture screenshots, browse directories, upload or download files, modify Windows Registry settings, create or remove folders, extract ZIP archives, and execute additional programs. These features provide attackers with extensive control over compromised devices and support long-term espionage activities.
Google researchers also identified a publicly accessible GitHub repository containing a Python implementation of the malware’s WebSocket server controller. This controller is responsible for receiving communications from infected systems and recording connection details. However, encrypted communication prevents outsiders from reading the exchanged data, making it more difficult to identify the attackers’ infrastructure. Researchers noted that this communication design resembles Turla’s earlier multi-hop command-and-control architecture used with Kazuar.
The investigation shows that Turla consistently relied on phishing campaigns using academic or diplomatic-themed lures to distribute STOCKSTAY. In one campaign observed during early 2025, victims received phishing emails containing malicious Remote Desktop Protocol (RDP) files that established connections with attacker-controlled systems before deploying the malware. Another campaign later used malicious RAR archives exploiting the WinRAR vulnerability CVE-2025-8088 to install STOCKSTAY on targeted systems.
Google also found additional delivery methods involving MSI installer packages and HTML Application (HTA) files hidden inside compressed archives. In these attacks, the downloader retrieved a ZIP archive containing the main STOCKSTAY components from compromised WordPress websites before completing the infection. Most of the observed attacks focused on Ukrainian government and military organizations, although earlier campaigns also targeted entities in Italy, Germany, Poland, and the Netherlands. The findings demonstrate that Turla continues to refine its cyber espionage operations with increasingly advanced and stealthy malware.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
