Russian state-sponsored group Turla has been running a previously unknown .NET backdoor called STOCKSTAY against Ukrainian government and military targets, Google Threat Intelligence Group revealed this week.
The backdoor has been in development since at least December 2022 and shows significant code overlap with Kazuar, a Turla implant that’s been active since 2017. STOCKSTAY is multi-component, written in .NET using the Windows Forms framework, and talks to its command-and-control server via secure WebSocket connections using the open-source websocket-sharp library.
It originally disguised itself as a stock market data viewer. Newer versions pose as PDF readers and calculator apps. Smart cover for a surveillance tool.
The architecture has four parts. STOCKSTAY.MARKETMAKER is the downloader — it sets up autorun entries and fetches three modules. STOCKSTAY.STOCKBROKER handles network tunneling through proxies. STOCKSTAY.STOCKMARKET is the orchestrator, parsing config to set the C2 server, work intervals, and days off. STOCKSTAY.STOCKTRADER is the main backdoor, supporting file exfiltration, screen capture, registry modification, process execution, and system info harvesting.
Google found a public GitHub repo (“ChikenFresh/google-ai-labs-it”) containing a Python implementation of the STOCKSTAY WebSocket server controller. The server can’t decrypt inbound messages, which obscures the threat actor’s infrastructure from platform operators.
Delivery methods are varied. Phishing emails with malicious RDP files. RAR archives exploiting CVE-2025-8088, a WinRAR vulnerability that multiple Russian APTs including Sandworm and Gamaredon have also used. MSI installers, some hosted on GitHub. HTA scripts that fetch payloads from compromised WordPress sites. The lures are consistent: academic and diplomatic themes, filenames referencing universities, domains containing “education” and “diplo.”
Turla deploys STOCKSTAY at different stages — for initial access into unprofiled environments, and for post-exploitation after reconnaissance. GTIG says this means the actor sometimes already knows exactly which machine to target, likely through existing access to the network.
Most observed activity targets Ukrainian government and military. In-country compromised infrastructure, including government services, has been used to deploy the malware. Early activity also hit entities in Italy, the Netherlands, Poland, and Germany — including a foreign affairs ministry — but specific victims there haven’t been confirmed.
