
Turla’s STOCKSTAY Backdoor: A New .NET Spy Tool Targeting Ukraine and Europe

The Russia-linked threat actor Turla has been developing and deploying a .NET backdoor called STOCKSTAY since at least December 2022, targeting government and military organizations in Ukraine, as well as entities interested in Italian foreign policy. The malware was designed to masquerade as a stock market data viewing tool, but by 2025, variants were disguising themselves as PDF viewers and calculator utilities. This reveals a persistent, evolving threat actor that continues to refine its delivery methods—including phishing via malicious RDP files, compromised university email accounts, and exploitation of CVE-2025-8088—while maintaining a consistent focus on intelligence gathering against Ukrainian defense targets and European diplomatic circles.
STOCKSTAY is a multi-component backdoor using Windows Forms, WebSocket communication via the websocket-sharp library, and inter-process communication through WM_COPYDATA messages. Its architecture separates network communication (STOCKSTAY.STOCKBROKER), task orchestration (STOCKSTAY.STOCKMARKET), and command execution (STOCKSTAY.STOCKTRADER) into distinct components. The malware generates a 4096-bit RSA key pair on first execution, uses encrypted configuration files with decoy cryptocurrency exchange URLs, and supports environmental keying that requires the target’s hostname or domain name to decrypt its configuration. Google Threat Intelligence Group also identified a publicly accessible GitHub repository hosting a Python implementation of the STOCKSTAY WebSocket server controller, which uses a lightweight SQLite3 database and can run on platforms like Render, making the C2 infrastructure difficult to attribute.
The key takeaway for defenders is that STOCKSTAY shares significant code and operational overlaps with KAZUAR, a well-established Turla toolkit, indicating a common development team actively iterating on both malware families in tandem. The introduction of the K1MORPHER string obfuscation mechanism—based on the Squirrel3 pseudo-random number generation algorithm—into both toolkits within a similar timeframe strengthens this link. Practitioners should monitor for the specific YARA rules and Google SecOps detections provided in the report, pay attention to malicious RDP file lures themed around military training or diplomatic education, and treat any infection involving STOCKSTAY as a potential precursor to deployment of other Turla tools like WILDDAY, DIAMONDBACK, or KAZUAR within the same environment.


