The notorious Russian state-sponsored threat actor, **Turla**, has been observed deploying a previously undocumented .NET backdoor named **STOCKSTAY**. This advanced cyber espionage tool primarily targets government and military organizations in Ukraine, as well as entities involved in Italian foreign policy. ### Evolving Espionage: STOCKSTAY's Genesis **Google Threat Intelligence Group (GTIG)** reports that **STOCKSTAY** is under continuous development by **Turla**. The Windows backdoor shares significant code and functional overlaps with **Kazuar**, an implant that has been a staple in **Turla's** arsenal since 2017. Development activity for **STOCKSTAY** is suspected to date back to December 2022. "**STOCKSTAY** is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source **websocket-sharp** library," **GTIG** stated. The malware's architecture is built on several distinct components that communicate through an inter-process communication (IPC) channel, leveraging **WM_COPYDATA** messages. ### A Modular Approach to Infiltration Initially designed to mimic a stock market data viewing tool, **STOCKSTAY** has since been adapted to masquerade as benign programs like PDF viewers and calculator utilities. The infection chain begins with a downloader component, codenamed **STOCKSTAY.MARKETMAKER**, which then installs and executes three additional modules: * **STOCKSTAY.STOCKBROKER**: A proxy-aware tunneler facilitating secure WebSocket communication to the C2 server for the entire **STOCKSTAY** suite. * **STOCKSTAY.STOCKTRADER**: The primary backdoor module responsible for information gathering. * **STOCKSTAY.STOCKMARKET**: An orchestrator that parses the backdoor's configuration, setting parameters like the WebSocket server, time intervals, and operational days. It coordinates communication between **STOCKSTAY.STOCKBROKER** and **STOCKSTAY.STOCKTRADER**.  ### Extensive Command Capabilities **STOCKSTAY.STOCKTRADER** possesses a wide array of commands, enabling comprehensive control and data exfiltration: * `Del`: Delete specified files. * `Dir`: Enumerate specified directories. * `Get`: Fetch files matching certain extensions. * `MkDir`: Create directories. * `RmDir`: Delete specified directories. * `Image`: Perform a screen capture. * `MultyTask`: Run a semi-colon-separated list of tasks. * `Put`: Upload a file to the device. * `RegRead`: Read a Windows Registry value. * `RegDelete`: Delete a Windows Registry value. * `RegWrite`: Set a Windows Registry value. * `Run`: Execute a new process. * `Sysinfo`: Gather system information. * `UnpackArchive`: Extract a specified ZIP file. **Google** also identified a public **GitHub** repository (`ChikenFresh/google-ai-labs-it`) containing a Python implementation of the victim-facing **STOCKSTAY** WebSocket server controller. This server handles inbound messages and logs IP addresses, but its inability to decrypt messages prevents external introspection, further obscuring the threat actor's infrastructure. This setup mirrors **Turla's** multi-hop **Kazuar** C2 infrastructure. ### Targeting and Delivery Methods **STOCKSTAY** campaigns consistently employ academic or diplomatic lures, primarily targeting government and military entities in Ukraine. Earlier versions of the backdoor were observed in attacks against organizations in Italy, the Netherlands, Poland, and Germany, though specific targets in these European nations remain undisclosed.  Delivery methods have varied: * **Malicious RDP files**: In early 2025, phishing emails with malicious RDP file attachments established connections to actor-controlled infrastructure for subsequent payload deployment, including **STOCKSTAY**. * **WinRAR Vulnerability (CVE-2025-8088)**: A November 2025 phishing wave targeting Ukraine delivered the implant via RAR archives exploiting **CVE-2025-8088**. This **WinRAR** flaw has been actively exploited by other Russian hacking groups such as **Sandworm**, **Gamaredon**, and **RomCom**. * **MSI Installers and HTA Scripts**: Other campaigns leveraged MSI installers (some hosted on **GitHub**) and RAR files containing HTML Application (HTA) scripts. These scripts executed a **STOCKSTAY.MARKETMAKER** variant, which then retrieved a ZIP archive of the main **STOCKSTAY** components from a compromised **WordPress** instance. ### Strategic Deployment and Kazuar Commonalities **Turla** has strategically deployed **STOCKSTAY** at multiple stages of their operations: for initial access into unprofiled environments and for post-exploitation on specific, pre-identified hosts. This targeted deployment suggests the actors possess existing access or detailed reconnaissance of the target environment. "This configuration implies that, at this stage, the actor knows exactly which machine is being targeted, likely through existing accesses to the target environment," **GTIG** explained. This was evident in Ukrainian networks where **STOCKSTAY** was deployed late in operations that had previously relied on **Turla's** other tools, such as **Kazuar**. The functional overlaps between **STOCKSTAY** and **Kazuar** are significant, particularly in how responsibilities are compartmentalized across different modules. **Microsoft Threat Intelligence** previously detailed **Kazuar's** **Kernel**, **Bridge**, and **Worker** modules. The first detection of **STOCKSTAY's** role-based component separation was in a sample uploaded to **VirusTotal** in December 2023 from the Netherlands. These commonalities lead to the strong possibility that both **STOCKSTAY** and **Kazuar** may share developers or development teams. "We believe that **STOCKSTAY** is being developed in **KAZUAR’s** image, with several design decisions likely spawning from the threat actor’s wealth of experience in conducting operations using this long-standing toolkit," **Google** concluded. "Both ecosystems rely heavily on .NET development, and have been observed using compromised **WordPress** sites during various stages of their operations." **Google** assesses with low confidence that the concurrent deployment of **STOCKSTAY** alongside **Kazuar** in active operations might indicate **Turla's** intent to test new capabilities, especially when anticipating potential remediation of their existing access.