Turla’s STOCKSTAY Backdoor Targets Ukrainian and Italian Entities with Stock-Market Disguise
Mandiant details STOCKSTAY, a .NET backdoor used by Russia-linked Turla since 2022 against Ukrainian government and Italian foreign policy entities.
Google Threat Intelligence Group (GTIG) has published an in-depth analysis of STOCKSTAY, a multi-component .NET backdoor that the Russia-linked threat actor Turla has continuously developed and deployed since at least December 2022. The malware targets government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy, as part of Turla's ongoing cyber espionage operations. STOCKSTAY shares significant code and functional overlaps with KAZUAR, a sophisticated toolkit previously attributed to Turla, highlighting the group's continued evolution of its arsenal.
STOCKSTAY is built using the Windows Forms framework and communicates with its command-and-control (C2) infrastructure via secure WebSocket connections powered by the open-source websocket-sharp library. The backdoor consists of several distinct components that coordinate through inter-process communication (IPC) based on WM_COPYDATA messages. Initially, the malware masqueraded as a stock market data viewing tool, embedding this disguise in file names and configuration storage. However, by 2025, Mandiant observed variants mimicking benign applications like PDF viewers and calculator utilities.
One key component is STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that handles network communications. It establishes secure WebSocket connections to remote servers and acts as a relay between the server and the STOCKSTAY.STOCKMARKET orchestrator. This design isolates the malware's network activity from other malicious host-based operations. STOCKSTAY.STOCKMARKET, referred to internally as 'cor', serves as the orchestrator, loading encrypted configuration files that disguise themselves as legitimate cryptocurrency market data. The configuration specifies C2 server details, encryption keys, and operational parameters.
Turla, also known as SUMMIT, Secret Blizzard, VENOMOUS BEAR, and UAC-0194, is one of the oldest known cyber espionage groups, with activity dating back to at least 2004. The group is attributed to Center 16 of Russia's Federal Security Service (FSB). Turla has continued to innovate, deploying scripts to intercept Signal Messenger communications, hijacking legacy criminal botnets to target Ukrainian organizations, and using the KAZUAR toolkit against military defense sectors. STOCKSTAY represents another evolution in their delivery methods.
The impact of this campaign is significant given Turla's historical focus on Western Ministries of Foreign Affairs and defense organizations, particularly in the context of geopolitical tensions. The use of stock-market disguises and legitimate WebSocket libraries allows the malware to blend in with normal network traffic, complicating detection. Mandiant's analysis provides indicators of compromise and persistence mechanisms to assist defenders in identifying STOCKSTAY infections.
This disclosure underscores the persistent threat posed by state-sponsored actors like Turla, who continue to refine their tools and techniques while maintaining a focus on high-value espionage targets. Organizations in government, defense, and foreign policy sectors should review Mandiant's report for detection guidance and remain vigilant against sophisticated backdoors leveraging evasive C2 methods.