Google Threat Intelligence Group has revealed details about STOCKSTAY, a previously undocumented .NET based backdoor that has been attributed to the Russian state sponsored threat actor Turla. The malware has been observed targeting government and military organizations in Ukraine, along with entities that have an interest in Italian foreign policy. Researchers said STOCKSTAY has been under active development since at least December 2022 and shares significant code similarities and functional design with Kazuar, a malware family that Turla has relied on for cyber espionage operations since 2017. According to Google, the malware is built using the Windows Forms framework and communicates with its command and control infrastructure through secure WebSocket connections using the open source websocket sharp library. The backdoor is composed of multiple components that communicate through an inter process communication channel based on WM_COPYDATA messages. Earlier versions of the malware were designed to imitate a stock market viewing application before later variants adopted disguises such as PDF viewers and calculator utilities in an effort to avoid detection.
Google said the infection process begins with a downloader identified as STOCKSTAY.MARKETMAKER, which installs three additional modules. These include STOCKSTAY.STOCKBROKER, responsible for creating a secure WebSocket connection and handling network communications, STOCKSTAY.STOCKTRADER, which acts as the primary backdoor for information gathering and remote command execution, and STOCKSTAY.STOCKMARKET, which functions as the controller by managing configuration settings such as server addresses, execution schedules, and communication between the malware components. Researchers noted that STOCKSTAY.STOCKTRADER supports a broad set of commands, allowing attackers to collect system information, capture screenshots, browse directories, upload and download files, create or remove directories, execute new processes, modify Windows Registry entries, extract ZIP archives, and perform multiple tasks through a single command. Google also identified a publicly accessible GitHub repository containing a Python implementation of the malware’s victim facing WebSocket server controller. Although the server can receive and log inbound connections, researchers said its inability to decrypt incoming messages makes it more difficult for platform operators and security researchers to inspect communications while also helping conceal the location of Turla’s command infrastructure. Google added that this communication model resembles the multi hop command and control architecture previously seen with Kazuar.
Researchers found that Turla has consistently delivered STOCKSTAY through phishing campaigns using academic and diplomatic themed lures. Early operations targeted organizations in Italy, the Netherlands, Poland, and Germany, although the specific European entities involved remain unknown. In one campaign observed during early 2025, attackers distributed malicious Remote Desktop Protocol files through phishing emails. When opened, these files established a connection to attacker controlled infrastructure, allowing additional payloads, including STOCKSTAY, to be deployed. More recently, during November 2025, phishing campaigns targeting Ukraine delivered the malware inside RAR archives that exploited CVE 2025 8088, a WinRAR vulnerability that has also been abused by Russian linked groups including Sandworm, Gamaredon, and RomCom. Additional delivery methods included MSI installer packages, with one sample hosted on GitHub, as well as RAR archives containing HTML Application scripts that executed a variant of STOCKSTAY.MARKETMAKER. The downloader then retrieved a ZIP archive containing the primary malware components from compromised WordPress websites.
Google also observed STOCKSTAY being deployed at different stages of Turla’s operations. In some cases, the malware was used to gain initial access to previously unknown environments, while in other incidents it appeared during post exploitation after reconnaissance activities had already been completed. Researchers stated that this deployment pattern suggests attackers already knew which systems they intended to compromise, particularly within Ukrainian networks where STOCKSTAY appeared alongside Kazuar during the later stages of operations. The similarities between both malware families extend beyond coding practices to their modular architecture, with clearly separated components assigned specific operational roles. Google believes these overlaps indicate that STOCKSTAY may have been developed by the same team responsible for maintaining Kazuar. While the company assessed this finding with low confidence, researchers suggested Turla could be introducing STOCKSTAY into active operations to test new capabilities while maintaining access to targeted environments that may soon be remediated.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
