Google Threat Intelligence Group (GTIG) has uncovered a previously undocumented malware framework dubbed STOCKSTAY, a modular .NET backdoor linked to the Russian state-sponsored hacking group Turla. The malware has been deployed in espionage campaigns targeting Ukrainian government and military organizations, as well as select European entities connected to diplomatic and foreign policy interests. Researchers believe STOCKSTAY represents the next evolution of Turla’s long-running malware ecosystem, sharing significant architectural similarities with the group’s well-known Kazuar backdoor.
The malware is built as a multi-component framework that separates responsibilities across specialized modules responsible for orchestration, secure communications, and command execution. Using encrypted WebSocket connections, STOCKSTAY can collect system information, execute commands, capture screenshots, manipulate files and the Windows Registry, and deploy additional payloads. Google says the framework has been under active development since at least late 2022 and continues to receive new capabilities.
Turla has delivered STOCKSTAY through multiple intrusion methods, including spear-phishing emails carrying malicious Remote Desktop Protocol (RDP) files, weaponized WinRAR archives exploiting known vulnerabilities, MSI installers hosted on public repositories, and compromised WordPress sites used to stage malware downloads. Researchers observed the backdoor being deployed both during initial compromise and later stages of intrusions, suggesting the group uses it flexibly depending on the maturity of an operation.
One notable aspect of STOCKSTAY is its emphasis on stealth. The malware hides its command-and-control infrastructure behind secure WebSocket communications and employs proxy-aware networking techniques similar to Turla’s existing infrastructure. Google also discovered publicly accessible tooling that assists operators in managing infected systems while helping obscure the location of dedicated command servers.
Researchers believe STOCKSTAY may eventually complement—or even replace—Kazuar in future espionage campaigns. The discovery highlights Turla’s continued investment in modernizing its cyber espionage toolkit while maintaining a strong focus on intelligence gathering against Ukraine and other strategically important European targets.
