Listen to this Post

Introduction:
The Russian state-sponsored threat actor Turla, also known as Krypton, Snake, and Venomous Bear, has been a persistent force in global cyber-espionage since at least 2004. Recently, the Google Threat Intelligence Group (GTIG) uncovered a previously undocumented .NET backdoor named STOCKSTAY, which the group has been actively developing and deploying since late 2022. This sophisticated malware, primarily targeting government and military organizations in Ukraine as well as entities with interests in Italian foreign policy, represents a significant evolution in Turla’s espionage capabilities, showcasing a modular design, secure communication channels, and a persistent focus on high-value geopolitical targets.
Learning Objectives:
- Understand the technical architecture and multi-component design of the STOCKSTAY backdoor.
- Analyze the infection vectors, including phishing campaigns and malicious RDP configuration files.
- Learn about the malware’s command-and-control (C2) communication methods, specifically its use of secure WebSockets.
- Identify the overlap and similarities between STOCKSTAY and Turla’s older KAZUAR framework.
- Gain insights into defensive strategies and Indicators of Compromise (IoCs) to detect and mitigate such threats.
You Should Know:
- The Anatomy of STOCKSTAY: A Multi-Component .NET Backdoor
STOCKSTAY is not a monolithic piece of malware but a complex, multi-component system written in .NET using the Windows Forms framework. Its modular architecture allows Turla operators to deploy different functionalities as needed, making it a flexible and powerful espionage tool. The backdoor is composed of several key components that work in concert:StockStay.MarketMaker: This is the initial downloader. It runs in the background, is proxy-aware, and is responsible for fetching the main payload from a remote server. It also sets up autorun entries to ensure the persistence of the core backdoor components.
StockStay.StockBroker: This component acts as a proxy-aware tunneler, handling all network communication. It establishes and maintains the connection to the C2 server.
StockStay.StockMarket: This is the orchestrator module that enables the backdoor’s configurability. It reads an encrypted on-disk configuration file that dictates various execution options.
StockStay.StockTrader: This is the core backdoor component that executes the actual commands on the infected machine. Its capabilities are extensive and include file download, exfiltration, and modification, folder tampering, screen capture, task processing, registry modification, process execution, and comprehensive system information harvesting.
These components communicate with each other using an inter-process communication (IPC) channel. To evade detection, the malware is designed to run only on weekdays between 9 AM and 6 PM, deliberately mimicking normal business hours.
2. Infection Vectors: Phishing, RDP, and Compromised Infrastructure
Turla’s operators have demonstrated a high level of sophistication in their initial access methods, primarily relying on social engineering and the abuse of trusted infrastructure.
Phishing Campaigns with Academic and Diplomatic Lures: Turla consistently uses themes related to academia and diplomacy to trick victims. They have sent phishing emails from a compromised Ukrainian university email account and abused a diplomatic education platform. The malicious files, often MSI installers named “DiplomacyEduAI,” are designed to appear legitimate.
Malicious RDP Configuration Files: In early 2025, Turla widely distributed malicious Remote Desktop Protocol (RDP) configuration files. Victims who opened these attachments inadvertently connected their computers to attacker-controlled infrastructure.
Compromised Local Infrastructure: Perhaps most concerning is Turla’s use of compromised Ukrainian infrastructure to stage and deliver payloads. This includes a website belonging to the State Regulatory Service of Ukraine and a WordPress server hosted within the country. By using trusted local sources, the group can bypass security controls that would typically flag connections to foreign, malicious servers.
3. Secure Communication with WebSockets
A key feature of STOCKSTAY is its use of a secure WebSocket connection for C2 communication. This is implemented using the open-source library websocket-sharp. WebSockets are a common technology for real-time web applications, and their use within normal network traffic makes it significantly harder for defenders to distinguish malicious C2 traffic from legitimate web traffic. This “living-off-the-land” approach to network communication is a hallmark of advanced threat actors.
4. The KAZUAR Connection: A Deliberate Evolution
GTIG researchers noted that STOCKSTAY shares significant code and functionality with KAZUAR, another well-known Turla malware framework that has been in use since at least 2015. The similarities are not coincidental; it appears that STOCKSTAY was deliberately developed in KAZUAR’s image, reflecting the group’s extensive experience with the older toolkit. This suggests a strategy of maintaining redundant, parallel malware ecosystems to ensure persistent access even when individual tools are discovered and remediated.
5. Defensive Measures and Indicators of Compromise (IoCs)
To defend against threats like STOCKSTAY, organizations, particularly those in government, military, and diplomatic sectors, should implement a multi-layered security strategy.
Network Monitoring: Given STOCKSTAY’s use of WebSockets, network security teams should monitor for unusual WebSocket traffic, especially to new or untrusted domains. Anomaly detection systems that baseline normal traffic patterns can help identify these deviations.
Email Security: Strengthen email security with advanced threat protection that can detect and block phishing emails, especially those with academic or diplomatic themes. Implement strict policies for handling email attachments, particularly RDP configuration files and MSI installers.
Endpoint Detection and Response (EDR): Deploy and maintain EDR solutions capable of detecting the multi-component nature of STOCKSTAY. Look for processes like MarketMaker, StockBroker, and StockTrader, and monitor for unusual inter-process communication.
System Hardening: Apply the principle of least privilege. Restrict the execution of MSI files and RDP connections from untrusted sources. Regularly patch systems to mitigate known vulnerabilities, such as the WinRAR path traversal flaw (CVE-2025-8088) exploited in one campaign.
Configuration File Monitoring: The encrypted on-disk configuration file used by STOCKSTAY is a potential IoC. Security tools that can scan for and alert on anomalous encrypted files in system directories may aid in detection.
What Undercode Say:
- Key Takeaway 1: The STOCKSTAY backdoor is a clear indicator of Turla’s continued investment in sophisticated, modular espionage tools. Its multi-component architecture and secure communication channels make it a formidable threat that requires equally sophisticated defensive measures.
- Key Takeaway 2: The use of compromised local infrastructure for payload delivery represents a significant escalation. It demonstrates a deep understanding of network trust models and an ability to operate within the victim’s own digital ecosystem, making attribution and detection considerably more challenging.
Analysis:
The disclosure of STOCKSTAY by GTIG highlights the persistent and evolving nature of state-sponsored cyber threats. Turla’s ability to develop and deploy a new, parallel malware framework while maintaining its older KAZUAR toolset underscores a strategic commitment to redundancy and resilience. The group’s focus on Ukrainian government and military targets, as well as European diplomatic entities, aligns directly with Russian geopolitical interests, indicating that these operations are likely to continue and potentially expand. The use of academic and diplomatic lures, combined with the exploitation of trusted local infrastructure, points to a highly adaptive threat actor that prioritizes operational security and stealth. For defenders, this means a shift away from relying solely on signature-based detection and towards a more proactive, behavioral-based approach to threat hunting and incident response.
Prediction:
- -1 The continued development and deployment of STOCKSTAY against Ukrainian and European targets will likely lead to an escalation in cyber-espionage activities, potentially resulting in significant data breaches and further geopolitical tensions.
- -1 As Turla refines its techniques, we can expect to see more sophisticated variants of STOCKSTAY that incorporate even better evasion tactics, potentially including the use of AI for targeted phishing and adaptive behavior.
- +1 The detailed analysis and public disclosure of STOCKSTAY by Google Threat Intelligence Group will empower the global cybersecurity community with the knowledge needed to develop better detection and mitigation strategies, ultimately raising the bar for threat actors.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 Turla – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


