Full Report
The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy. Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (
Analysis Summary
# Threat Actor: Turla
## Attribution & Identity
* **Name:** Turla
* **Aliases:** Snake, Venomous Bear, Waterbug, Krypton, UAC-0003, Iron Hunter
* **Attribution:** Russian state-sponsored (associated with the FSB)
* **Known Associations:** Shares significant code and functional overlaps with the **Kazuar** malware family, a staple of Turla’s arsenal since 2017.
## Activity Summary
Google Threat Intelligence Group (GTIG) has identified a new multi-component .NET backdoor named **STOCKSTAY**. Development of the tool likely began in December 2022. Recent operations (early 2025 through late 2025) have utilized academic and diplomatic lures to deliver the malware, primarily focusing on geopolitical interests surrounding Ukraine and European foreign policy.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails containing malicious RDP (.rdp) file attachments to establish connections to actor-controlled infrastructure.
* **Evasion/Masquerading:** Early versions mimicked stock market data tools; later versions masqueraded as PDF viewers and calculator utilities.
* **Persistence/Execution:** Use of a downloader component (MARKETMAKER) to fetch and execute secondary modules.
* **Inter-Process Communication (IPC):** Components communicate via exchange of `WM_COPYDATA` messages.
* **C2 Communication:** Uses secure WebSockets via the open-source `websocket-sharp` library.
* **Anti-Analysis:** Uses a custom Python-based server controller that prevents platform operators from decrypting inbound messages, obfuscating infrastructure location.
* **MITRE ATT&CK Techniques (Inferred):**
* T1566.001 (Phishing: Spearphishing Attachment)
* T1021.001 (Remote Services: Remote Desktop Protocol)
* T1036 (Masquerading)
* T1071.001 (Application Layer Protocol: Web Protocols)
* T1113 (Screen Capture)
## Targeting
* **Sectors:** Government, Military, Academic, Diplomatic.
* **Geography:** Ukraine (Primary), Italy, Netherlands, Poland, and Germany.
* **Victims:** Organizations with specific interests in Italian foreign policy and Ukrainian military/government entities.
## Tools & Infrastructure
* **Malware Families:**
* **STOCKSTAY.MARKETMAKER:** Downloader/Installer.
* **STOCKSTAY.STOCKBROKER:** Proxy-aware tunneler utilizing WebSockets.
* **STOCKSTAY.STOCKTRADER:** Main backdoor for data exfiltration and command execution.
* **STOCKSTAY.STOCKMARKET:** Orchestrator and configuration parser.
* **Kazuar:** Related historical backdoor.
* **Infrastructure:**
* **GitHub:** Repository `ChikenFresh/google-ai-labs-it` (defanged: hxxps[://]github[.]com/ChikenFresh/google-ai-labs-it).
* **C2:** Multi-hop infrastructure utilizing secure WebSocket servers.
## Implications
The deployment of STOCKSTAY demonstrates Turla’s commitment to continuous tool development and its focus on the conflict in Ukraine. By mimicking legitimate tools and using RDP-based phishing, the group evades traditional email security filters. The overlap with Kazuar suggests a long-term evolution of their codebase to maintain access to high-value targets in Europe.
## Mitigations
* **RDP Filtering:** Block or strictly monitor inbound and outbound Remote Desktop Protocol (.rdp) files and connections at the mail gateway and perimeter.
* **Endpoint Monitoring:** Monitor for suspicious `WM_COPYDATA` IPC activity between unrelated processes.
* **Network Defense:** Inspect and alert on unusual WebSocket traffic, particularly those originating from non-browser processes or unconventional .NET applications.
* **User Training:** Educate personnel on the risks of opening unexpected RDP attachments and diplomatic-themed lures.