The Russian state-sponsored cyber espionage group Turla has been actively deploying a sophisticated backdoor known as STOCKSTAY, targeting Ukrainian government and military entities since at least December 2022. This .NET-based malware establishes secure WebSocket connections for command and control, effectively blending into regular network traffic and evading detection.
Initially, STOCKSTAY masqueraded as a stock market data application, utilizing deceptive file names and configurations to appear legitimate. By 2025, Turla had evolved the malware’s disguise, presenting it as PDF viewers and calculator utilities, demonstrating the group’s adaptability in maintaining stealth. Turla’s consistent focus on Western Ministries of Foreign Affairs, defense organizations, and Ukrainian military targets underscores its alignment with Russian state interests.
Analysts from Google’s Threat Intelligence Group (GTIG) have documented STOCKSTAY’s architecture and its connections to Turla’s broader toolkit, including the KAZUAR backdoor. Turla, also known by aliases such as SUMMIT, Secret Blizzard, and VENOMOUS BEAR, is attributed to Center 16 of Russia’s Federal Security Service and has been active since at least 2004.
The malware has been identified in multiple countries, including Ukraine, Italy, the Netherlands, Poland, and Germany. In Ukraine, Turla strategically utilized compromised local infrastructure, such as government services and an IT company’s server, to stage and deliver STOCKSTAY. This tactic allows the group to blend into local network traffic, significantly complicating detection efforts.
In November 2025, Turla launched a phishing campaign targeting approximately 20 individuals in Ukraine. The attackers distributed malicious RAR archives exploiting a WinRAR path traversal vulnerability (CVE-2025-8088). Google account holders affected by this campaign received Government Backed Attack Warning notifications. Security teams are advised to review their environments for indicators of compromise associated with this activity.
Turla’s exploitation of compromised Ukrainian infrastructure is a calculated strategy to evade detection. By staging payloads on trusted local websites, such as the State Regulatory Service of Ukraine and a domestic WordPress server, the group bypasses security controls that might flag foreign infrastructure.
The initial access vector involved phishing emails with malicious Remote Desktop Protocol (RDP) files. In early 2025, victims received emails impersonating a defense training academy. Opening the RDP attachment connected them to attacker-controlled infrastructure, leading to the deployment of the STOCKSTAY.MARKETMAKER downloader, which then retrieved the full STOCKSTAY suite from the compromised server.
Turla’s continuous evolution of its malware and tactics highlights the persistent threat posed by state-sponsored cyber actors. Organizations, especially those in government and defense sectors, must remain vigilant, regularly update their security protocols, and educate personnel on recognizing sophisticated phishing attempts to mitigate such threats.
