Ethical Hacking News
The Turla group has been attributed with a new backdoor called STOCKSTAY, which has been deployed against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. The backdoor shares substantial code and functional overlaps with Kazuar and is part of Turla's ongoing evolution of malware tactics. Understanding the implications of STOCKSTAY on the cybersecurity world requires a closer examination of its development process and deployment methods.
The threat landscape has witnessed sophisticated attacks by state-sponsored actors, including Turla, which has been linked to the new backdoor STOCKSTAY. Google Threat Intelligence Group (GTIG) attributed the discovery of STOCKSTAY to Turla, with suspected development activity dating back to December 2022. The architecture of STOCKSTAY consists of multiple components that communicate via an inter-process communication channel based on WM_COPYDATA messages. STOCKSTAY is employed by Turla at different stages of operations, initially for initial access and later for post-exploitation execution on a specific host. The overlaps between STOCKSTAY and Kazuar suggest possible shared development or maintenance by the same team or developer. Attacks using STOCKSTAY have leveraged academic- or diplomatic-themed lures to target government and military organizations in Ukraine and entities with an interest in Italian foreign policy. The deployment of STOCKSTAY has consistently utilized vulnerabilities such as CVE-2025-8088 in WinRAR, MSI installers hosted on GitHub, and RAR files containing an HTML Application (HTA) script.
The threat landscape of cyber espionage has witnessed a plethora of sophisticated attacks carried out by state-sponsored actors, with Turla being one such entity that has garnered significant attention for its relentless pursuit of information and resources. Recently, Google Threat Intelligence Group (GTIG) attributed a new backdoor called STOCKSTAY to this group, which has been deployed against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. In this article, we will delve into the details of the STOCKSTAY backdoor, its development process, and its implications on the cybersecurity world.
The discovery of STOCKSTAY is a significant development, given that it shares substantial code and functional overlaps with Kazuar, another prominent implant used by Turla since 2017. According to GTIG, the Windows backdoor is continually developed by the hacking group, with suspected development activity dating back to December 2022. The architecture of STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel based on the exchange of WM_COPYDATA messages.
The starting point for the implant is a downloader component codenamed STOCKSTAY.MARKETMAKER, which installs and executes three additional modules - STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that facilitates network communication capabilities to the wider STOCKSTAY suite by establishing a secure WebSocket connection to a specified remote server. STOCKSTAY.STOCKTRADER is the main backdoor that enables information gathering, while STOCKSTAY.STOCKMARKET acts as an orchestrator or controller, parsing the backdoor's configuration to set several options regarding the malware's execution.
One noteworthy aspect of the malware is its employment by Turla at multiple distinct stages of their operations. Initially, it serves as a way to obtain initial access into environments that haven't been profiled previously and during post-exploitation following reconnaissance for execution on a specific host. This configuration implies that, at this stage, the actor knows exactly which machine is being targeted, likely through existing accesses to the target environment.
The overlaps between STOCKSTAY and Kazuar stem from the similarities in how the responsibilities are delineated among different components. These commonalities have raised the possibility that both STOCKSTAY and Kazuar may have been developed and maintained in-part by the same developer or team. Google said it identified a publicly accessible GitHub repository containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller, which further supports this theory.
Attacks distributing STOCKSTAY have consistently leveraged academic- or diplomatic-themed lures to target government and military organizations within Ukraine, with early versions of the backdoor used in attacks aimed at entities in Italy, the Netherlands, Poland, and Germany. The Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed.
The use of stock market data viewing tools as a front-end for malicious activity is not unprecedented in Turla's toolkit. However, the sophisticated implementation of STOCKSTAY demonstrates a level of sophistication that is rare among malware variants. The deployment of STOCKSTAY has consistently leveraged vulnerabilities such as CVE-2025-8088 in WinRAR, MSI installers hosted on GitHub, and RAR files containing an HTML Application (HTA) script to deliver the implant.
In conclusion, the discovery of STOCKSTAY highlights the ongoing evolution of Turla's malware tactics. The sophisticated nature of this backdoor underscores the need for organizations to remain vigilant in their cybersecurity efforts. As the threat landscape continues to evolve, it is crucial that security professionals stay informed about emerging threats and develop strategies to mitigate them.
The Turla group has been attributed with a new backdoor called STOCKSTAY, which has been deployed against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. The backdoor shares substantial code and functional overlaps with Kazuar and is part of Turla's ongoing evolution of malware tactics. Understanding the implications of STOCKSTAY on the cybersecurity world requires a closer examination of its development process and deployment methods.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Turlas-Malware-Tactics-Unveiling-the-STOCKSTAY-Backdoor-ehn.shtml
https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
https://attack.mitre.org/groups/G0010/
https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html
Published: Fri Jun 26 03:37:35 2026 by llama3.2 3B Q4_K_M
