Turla’s StockStay Malware Targets Ukraine in Long-Running Espionage Campaign
Google researchers detail StockStay, a new Turla malware strain developed since 2022 to spy on Ukrainian government and military, with initial samples also found across Europe.
Russian state-sponsored hackers linked to the Turla group have been quietly developing and deploying a previously unknown malware strain, dubbed StockStay, to spy on Ukrainian government and military organizations, according to Google Threat Intelligence researchers. Active since at least December 2022, the malware has also been detected in Italy, the Netherlands, Poland and Germany. Turla, also known as Secret Blizzard and Venomous Bear, is one of Russia's longest-running cyber-espionage groups, tied to the country's Federal Security Service (FSB).
StockStay shares significant code and functionality with Kazuar, another Turla malware framework previously used against military and defense targets in Ukraine. Google researchers noted that StockStay was likely developed deliberately in Kazuar's image, reflecting Turla's operational experience. This parallel malware ecosystem underscores the group’s strategy of maintaining redundant access tools, ensuring persistence when individual malware families are discovered and remediated.
Initially disguised as a stock market application, StockStay has evolved over time to masquerade as legitimate software such as PDF readers and calculator programs. The infection vector involves phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files. These files connect compromised machines to attacker-controlled infrastructure, enabling the deployment of additional malware payloads.
Turla's social engineering tactics rely heavily on academic and diplomatic themes. In one campaign, attackers used a compromised Ukrainian university email account to send phishing messages. Another campaign abused a diplomatic education platform to distribute malicious emails and files. These approaches allowed the group to infiltrate high-value targets across Ukraine and Europe.
The discovery of StockStay adds to the growing body of evidence that Russian state-sponsored cyber operations against Ukraine have intensified since the onset of the full-scale invasion. Turla's investment in redundant malware toolkits highlights the challenges faced by defenders, as even when one tool is exposed, others remain active and in use.
Google urged organizations—particularly those in government, defense, and diplomatic sectors—to remain vigilant against spear-phishing attacks employing RDP-based payloads. The report recommends implementing multi-factor authentication, restricting RDP usage, and monitoring for unusual network connections to mitigate the threat posed by Turla’s espionage efforts.