The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with Kazuar, a staple implant put to use by the adversary since 2017. Suspected development activity of malware dates back to December 2022.
“STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library,” GTIG said.
“STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of WM_COPYDATA messages.”
Evidence indicates that the implant was originally designed to mimic a stock market data viewing tool, before being adapted to masquerade as other harmless programs like PDF viewers and calculator utilities. The starting point is a downloader component codenamed STOCKSTAY.MARKETMAKER that installs and executes three additional modules –
- STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that facilitates network communication capabilities to the wider STOCKSTAY suite by establishing a secure WebSocket connection to a specified remote server.
- STOCKSTAY.STOCKTRADER, the main backdoor that enables information gathering.
- STOCKSTAY.STOCKMARKET, an orchestrator or controller that parses the backdoor’s configuration to set several options regarding the malware’s execution, such as the WebSocket server, time interval, and the days it’s not supposed to work. It also communicates with STOCKSTAY.STOCKBROKER to provide the server details and receive messages via the established WebSocket connection, as well as STOCKSTAY.STOCKTRADER to issue commands to be run on the compromised host.
 |
| STOCKSTAY malware architecture |
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below –
- Del, to delete the specified files
- Dir, to enumerate the specified directories
- Get, to fetch one or more specified files matching certain extensions
- MkDir, to make one or more directories
- RmDir, to delete the specified directories
- Image, to perform a screen capture of the device’s screen
- MultyTask, to run a semi-colon-separated list of tasks at once
- Put, to upload a file to the device
- RegRead, to read a Windows Registry value
- RegDelete, to delete a Windows Registry value
- RegWrite, to set a Windows Registry value
- Run, to execute a new process
- Sysinfo, to gather system information
- UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository (“ChikenFresh/google-ai-labs-it”) containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that’s responsible for handling inbound messages from a connected client and logging its IP address.
“The inability for the server to decrypt inbound messages prevents introspection by platform operators, and further obfuscates the location of the threat actor’s dedicated infrastructure,” GTIG noted. “This architecture somewhat resembles Turla’s multi-hop Kazuar C2 infrastructure.”
Attacks distributing STOCKSTAY have consistently leveraged academic- or diplomatic-themed lures to target government and military organizations within Ukraine, with early versions of the backdoor used in attacks aimed at entities in Italy, the Netherlands, Poland, and Germany. That said, it’s unknown which European entities were singled out in these attacks.
 |
| Timeline of STOCKSTAY observations |
In at least one instance observed in early 2025, the Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim’s device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed.
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been exploited by a number of Russian hacking groups such as Sandworm, Gamaredon, and RomCom.
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER. The downloader then retrieves a ZIP archive containing the main STOCKSTAY components that’s hosted on a compromised WordPress instance.
One noteworthy aspect of the malware is that it has been employed by Turla at multiple distinct stages of their operations, one as a way to obtain initial access into environments that haven’t been profiled previously and during post-exploitation following reconnaissance for execution on a specific host.
“This configuration implies that, at this stage, the actor knows exactly which machine is being targeted, likely through existing accesses to the target environment,” GTIG explained. This was seen within Ukrainian networks where STOCKSTAY was deployed toward the end of an operation which had previously relied heavily on the group’s other tools, such as Kazuar.”
STOCKSTAY’s overlaps with Kazuar stem from the similarities in how the responsibilities are delineated among different components. Kazuar’s use of Kernel, Bridge, and Worker modules within Kazuar was extensively detailed by the Microsoft Threat Intelligence team last month. The separation of distinct role-based components in STOCKSTAY was first detected in a sample uploaded to VirusTotal in December 2023 from the Netherlands.
These commonalities have raised the possibility that both STOCKSTAY and Kazuar may have been developed and maintained in-part by the same developer or team.
“We believe that STOCKSTAY is being developed in KAZUAR’s image, with several design decisions likely spawning from the threat actor’s wealth of experience in conducting operations using this long-standing toolkit,” Google said. “Both ecosystems rely heavily on .NET development, and have been observed using compromised WordPress sites during various stages of their operations.”
“We assess with low confidence that our observations of STOCKSTAY being deployed alongside KAZUAR during active operations may be a result of the threat actor seeking to test new capabilities in active operations, particularly where they may be expecting their existing access to be remediated in the near future.”
