Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets

Summary

Russian APT Turla, also known as Krypton and linked to the FSB, is using a new .NET backdoor called StockStay for espionage against Ukrainian government and military organizations. The backdoor, which has been in development since 2022, masquerades as legitimate software like stock market viewers, PDF viewers, or calculators and uses secure WebSocket connections for C2 communication. Turla has also targeted entities in Italy, the Netherlands, Poland, and Germany, employing themes of academia and diplomacy in its phishing campaigns.

Full text

Russia-linked APT Turla has been targeting government and military organizations in Ukraine with a new backdoor specifically designed for espionage, Google Threat Intelligence Group (GTIG) reports. Also known as Krypton, Snake, Summit, UAC-0194, Venomous Bear, and Waterbug, Turla has been active since at least 2004. The US officially linked the APT to Russia’s Federal Security Service (FSB) in 2023. According to a fresh GTIG report, Turla has been developing a .NET backdoor tracked as StockStay since 2022, and has been using it in attacks against Ukraine’s government and military, as well as against entities with an interest in Italian foreign policy. Designed for ongoing cyber espionage, the backdoor shows code and functionality overlap with Kazuar, a known Turla implant that has been around since at least 2015. A multi-component backdoor written in .NET, StockStay initially masqueraded as a stock market data viewing tool, but recent iterations pose as PDF viewers and calculator utilities. The backdoor relies on a secure WebSocket connection, via the open source websocket-sharp library, for command-and-control (C&C) communication. Its components use an inter-process communication (IPC) channel to communicate with one another.Advertisement. Scroll to continue reading. StockStay payloads are fetched from a remote server using a proxy-aware downloader named StockStay.MarketMaker, which runs in the background and sets up autorun entries to execute core backdoor components. Network communication is provided through StockStay.StockBroker, a proxy-aware tunneler, while the implant’s configurability is enabled through the StockStay.StockMarket orchestrator. An encrypted on-disk configuration file contains various options regarding malware execution. The backdoor component, named StockStay.StockTrader, supports various command execution capabilities, including file download/exfiltration/modification, folder tampering, screen capture, task processing, registry modification, process execution, and system information harvesting. Most of the observed StockStay activity has been targeting Ukrainian government and military entities, in line with Russian interests in the region. In-country compromised infrastructure, including government services, has been used for malware deployment, GTIG says. Some of the early StockStay activity, however, targeted European entities in Italy, the Netherlands, Poland, and Germany, including a foreign affairs ministry, but the intended victims for most of these infections have not been confirmed. StockStay operations rely on academia and diplomacy themes: phishing emails sent from a compromised Ukrainian university email account and diplomatic education platform, filenames containing academic institution names, phishing domains containing ‘education’ and ‘diplo’ in their names, and backdoor MSI files named ‘DiplomacyEduAI’. GTIG also observed Turla deploying the backdoor via malicious RDP configuration files delivered via phishing emails. Some of these files were hosted on a compromised diplomatic-themed education platform. Additionally, GTIG noticed that the cyberespionage group deployed StockStay at different stages of its attacks, either for initial access, for reconnaissance, or at later stages, likely through existing access to the victim’s environment. In one attack in November 2025, Turla sent phishing emails to 20 Ukraine-based targets, linking to a malicious RAR archive exploiting CVE-2025-8088 for the execution of StockStay. In January, GTIG warned that multiple Russian APTs and cybercrime groups had been targeting the WinRAR vulnerability. Related: Russian Initial Access Broker Behind FortiBleed Campaign Related: Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say Related: Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks Related: UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire 25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCritical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware FamiliesExploitable CI/CD Vulnerabilities Expose Millions of Repositories to HijackingBeyondTrust, LastPass Impacted by Klue-Salesforce IncidentData Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps Latest News $3 Million Reportedly Stolen in Polymarket HackFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildNew Enterprise-Ready MCP Specification Brings New Security ChallengesPhilip Martin Joins Uber as Chief Information Security OfficerRunlayer Raises $30 Million in Series A FundingCal Water Says No OT Systems Breached in Iranian Handala CyberattackLantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningGitLab Patches Code Execution, Information Disclosure Vulnerabilities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MovePhilip Martin has joined Uber as Chief Information Security Officer.Fable Security has appointed Jacob Berry as Chief Information Security Officer.iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — StockStay
• malware — StockStay.MarketMaker
• malware — StockStay.StockBroker
• malware — StockStay.StockMarket
• malware — StockStay.StockTrader
• cve — CVE-2025-8088

Entities