Do Son 
Overview of STOCKSTAY malware architecture | Image: Google Threat Intelligence Group
At a glance
- Malware Family: STOCKSTAY
- Threat Actor: Turla (Confirmed: Center 16 of Russia’s FSB)
- Targets: Ukrainian military/government, Italian foreign policy entities
- Delivery Vector: Malicious RDP files, CVE-2025-8088 WinRAR exploits
- Key Capabilities: File theft, system enumeration, secure WebSocket tunneling
- Source: Google Threat Intelligence Group
TL;DR
Google Threat Intelligence Group recently identified a new .NET malware strain named STOCKSTAY. The Russia-linked threat actor Turla uses this tool to conduct ongoing cyber espionage. Attackers actively deploy the Turla STOCKSTAY backdoor against Ukrainian military organizations.
Delivery
Turla actors initiate attacks using targeted spear-phishing emails. They tailor these messages to academic, diplomatic, or military themes. In a November 2025 campaign, attackers sent drone-themed phishing emails to approximately 20 Ukraine-based targets. GTIG noted that “only around 30% of the recipients of these phishing emails opened the emails.”
The emails contain malicious links or attachments. Attackers often use malicious Remote Desktop Protocol (RDP) configuration files. For example, attackers compromised a Ukrainian university email account to distribute these files. When users open these files, their machines connect directly to actor-controlled infrastructure.
Attackers also target European entities with specific foreign policy interests. In early 2024, attackers created a malicious Windows Installer file. This file masqueraded as a legitimate developer tool. It displayed a decoy website relating to Circolo Degli Esteri. This organization officially represents the Italian Ministry of Foreign Affairs.
Threat actors also utilize decoy documents and archives. Recently, attackers began using malicious RAR archives. These archives exploit a known WinRAR path traversal vulnerability, tracked as CVE-2025-8088. This exploit allows the silent installation of malware components. The attackers also used a malicious HTML application disguised as a military pay calculator. This file displayed an official-looking Ukrainian Ministry of Defense graphic to trick users.
The threat group has maintained active operations since at least December 2022. They continually refine their delivery methods. Early operations relied on single executable files. Over time, the delivery mechanisms evolved. Now, the group targets victims during different stages of compromise. Initial access operations use hard-coded passwords. Later stage deployments utilize the environmental keying technique. This shows a high level of operational maturity.
Infection Chain
The initial breach triggers a downloader component known as MARKETMAKER. This tool runs silently in the background. It establishes persistence through Windows registry modifications. Next, it downloads the core components of the Turla STOCKSTAY backdoor. The attackers host these payloads on compromised WordPress websites.
The malware operates using a complex multi-component architecture. A tunneler component named STOCKBROKER manages all external communications. Meanwhile, an orchestrator named STOCKMARKET decrypts the configuration data. The malware uses environmental keying to hide its configuration. It requires the victim’s specific hostname or domain name for decryption. Consequently, analysts cannot easily examine the malware outside the target network.
Finally, the STOCKTRADER backdoor component executes system commands. GTIG states this design shows “significant code and functional overlaps with KAZUAR.” Both malware families share string obfuscation mechanisms. Specifically, the developers integrated a custom obfuscator named K1MORPHER into both projects.
The component separation prevents easy analysis. The MARKETMAKER tool acts as the primary downloader. It communicates through standard HTTP channels. The STOCKBROKER acts as a dedicated proxy. It handles all WebSocket traffic. The STOCKMARKET orchestrator manages the internal operations. It acts as the brain of the implant. The STOCKTRADER executes the final actions. They communicate with each other using inter-process communication. They exchange specific messages to coordinate actions.
Command-and-Control and Data-Exfiltration Behaviour
The malware disguises its command-and-control operations to evade detection. The orchestrator originally masqueraded as a stock market data viewing tool. It stored configuration details inside fake cryptocurrency URLs. Modern variants disguise themselves as PDF viewers or calculator utilities.
The STOCKBROKER tunneler establishes a secure WebSocket connection to remote servers. This isolates the network traffic from other host activities. The malware encrypts all outbound data using a unique 4096-bit RSA key. Attackers deploy lightweight Python scripts on free hosting platforms to receive this data. A specific controller script routes messages between infected clients and the upstream operators.
The Python server operates on platforms like Render. The server code extends basic WebSocket handlers. It logs client IP addresses upon connection. The server stores encrypted messages in a local database. It tracks targets using unique identifiers. Clients request their specific messages from the server queue. The server deletes messages after successful delivery. This design prevents third-party hosting providers from inspecting the data.
The STOCKTRADER backdoor receives commands through this secure tunnel. It supports extensive administrative functions. The backdoor executes specific commands like ‘Get’ to retrieve target files. It uses ‘Dir’ to perform recursive directory listings. The ‘Sysinfo’ command gathers operating system version, memory capacity, and running process lists. The ‘MultyTask’ feature allows the attackers to process multiple commands simultaneously. The backdoor can capture screenshots, read registry values, and gather detailed hardware information. Furthermore, attackers can instruct the malware to steal specific file types. The backdoor compresses stolen files into memory-based ZIP archives. It then sends this base64-encoded data back to the attackers.
Attribution
The United States Cybersecurity and Infrastructure Security Agency formally attributes Turla to Center 16 of Russia’s Federal Security Service. Government authorities confirm this primary attribution. However, GTIG assesses with high confidence that the specific STOCKSTAY ecosystem belongs to Turla. The developers use Windows-1251 encoding, which supports Cyrillic script. Moreover, the malware shares infrastructure and codebase elements with known Turla projects.
Turla remains one of the oldest known cyber espionage groups. Suspected activity dates back to at least 2004. They heavily target western Ministries of Foreign Affairs. They focus on defense organizations during periods of political tension. The deployment of STOCKSTAY alongside KAZUAR confirms these links. Analysts found both tools deployed on the same Ukrainian domain controller. The developers clearly share a unified software development pipeline.
Defense or Detection Guidance
Organizations must prioritize patching software vulnerabilities immediately. Update WinRAR to fix the CVE-2025-8088 vulnerability. Security teams should monitor network traffic for unexpected WebSocket connections. Specifically, look for connections communicating with uncommon cloud hosting providers.
Administrators should block inbound and outbound RDP connections unless strictly necessary. Furthermore, inspect email gateways for unusual external sharing links. Apply modern endpoint detection systems to catch unexpected background processes. Defenders must look for programs disguised as calculators or stock tools running from unexpected directories. Restrict the execution of HTML Application files to prevent initial stage droppers.
Organizations must isolate critical domain controllers from general network traffic. Employ strict application allowlisting to block unauthorized executables. Monitor for unusual inter-process communication patterns. Flag programs that exchange high volumes of internal messages. Implement strong authentication for all remote access portals. Provide staff with regular phishing awareness training.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
