# Turla's StockStay Malware: A Persistent Threat to Ukrainian and European Organizations Russian state-backed hackers have spent years developing and deploying a little-known malware strain to spy on Ukrainian government and military organizations, as well as entities of interest across Europe, according to new research. ## Unveiling StockStay The malware, dubbed **StockStay**, has been under active development since at least December 2022, researchers at **Google** said in a report published on Thursday. It was primarily used to target Ukrainian government and defense organizations, although early samples of the malware were also identified in Italy, the Netherlands, Poland, and Germany. ## Turla's Enduring Campaign **Turla**, also tracked as **Secret Blizzard** and **Venomous Bear**, is one of Russia's longest-running cyber-espionage groups and has been linked by Western governments and cybersecurity researchers to Russia's Federal Security Service (**FSB**). **Google** said **StockStay** shares significant code and functionality with **Kazuar**, another **Turla** malware framework previously used in cyberespionage operations against military and defense targets in Ukraine. The researchers said they believe **StockStay** was deliberately developed in **Kazuar**'s image, reflecting the group's experience with the older toolkit. "The group appears to be investing in redundant, parallel malware ecosystems to ensure persistent access even when individual tools are discovered and remediated," **Google** said in a statement to Recorded Future News, describing **Turla** as "an ongoing and active threat." ## Evolution of a Malicious Tool Researchers said **StockStay** has evolved considerably since its first appearance. Originally disguised as a stock market application, the malware has more recently masqueraded as legitimate software such as PDF readers and calculator programs. Victims were typically infected through phishing emails containing malicious Remote Desktop Protocol (**RDP**) configuration files that connected compromised computers to infrastructure controlled by the attackers, allowing them to deploy additional malware. Researchers said **Turla** repeatedly used academic and diplomatic themes to lure victims. In one campaign, the attackers sent phishing emails from a compromised account belonging to a Ukrainian university. In another, they abused a diplomatic education platform to distribute malicious emails and files.