A sophisticated cyber-espionage campaign has been identified targeting Ukrainian systems through the deployment of a backdoor named STOCKSTAY. This malware infiltrates devices by exploiting malicious Remote Desktop Protocol (RDP) files and a recently patched vulnerability in WinRAR, a popular file archiver utility.
STOCKSTAY is a modular backdoor developed in .NET, comprising multiple components responsible for various functions such as command execution, file manipulation, and communication with command-and-control servers. This modular architecture allows attackers to update or replace individual modules without overhauling the entire malware, enhancing its adaptability and resilience against detection and removal efforts.
Exploitation Techniques
The attackers employ two primary methods to deliver STOCKSTAY:
- Malicious RDP Files: Victims receive RDP configuration files disguised as legitimate documents. When opened, these files establish outbound connections to attacker-controlled servers, facilitating the download and execution of additional malicious payloads without triggering security alerts.
- WinRAR Vulnerability (CVE-2025-8088): Exploiting a path traversal flaw in WinRAR, attackers craft malicious RAR archives that, when extracted, place STOCKSTAY components directly into the Windows startup folder. This ensures the malware’s persistence by executing it each time the system boots.
Command and Control Evasion
To evade detection, STOCKSTAY’s communication with its operators is routed through legitimate cloud services, effectively masking malicious traffic as normal web activity. Additionally, the malware employs a ‘dead drop’ technique, where both the infected system and the attackers check a shared relay for messages, avoiding direct communication and further complicating detection efforts.
STOCKSTAY’s configuration data is encrypted using a hash derived from the victim’s system information, ensuring that the malware operates exclusively on the targeted machine and preventing analysis on other systems.
This campaign is attributed to the Turla group, also known as Secret Blizzard, a state-sponsored entity linked to Russia’s Federal Security Service. Active since at least 2004, Turla is renowned for its advanced cyber-espionage operations targeting government and military organizations.
The use of seemingly benign RDP files and exploitation of known software vulnerabilities like the WinRAR flaw underscores the importance of vigilance against social engineering tactics and the necessity of timely software updates. Organizations are advised to educate users on the risks associated with opening unsolicited files and to apply security patches promptly to mitigate such threats.
As cyber-espionage tactics continue to evolve, the integration of legitimate services into attack chains highlights the need for comprehensive security strategies that encompass user education, robust endpoint protection, and continuous network monitoring to detect and respond to sophisticated threats like STOCKSTAY.