Google Threat Intelligence Group said Russian state-backed hacking group Turla used a previously undocumented .NET backdoor called STOCKSTAY against government and military organizations in Ukraine and entities tied to Italian foreign policy, with development activity traced back to December 2022.
KEY FACTS
- Malware STOCKSTAY is a multi-component .NET backdoor that uses Windows Forms and secure WebSocket connections.
- Targets Campaigns focused on government and military organizations in Ukraine and earlier on entities in Italy, the Netherlands, Poland and Germany.
- Delivery Attackers used phishing emails, malicious RDP files, MSI installers and archives with HTA scripts.
- Commands The backdoor can delete files, enumerate directories, capture screens, edit the registry and run processes.
The report said STOCKSTAY shares code and design overlaps with Kazuar, a long-running Turla implant used since 2017. It described STOCKSTAY as a set of distinct components that exchange messages through WM_COPYDATA and communicate with command and control infrastructure through the websocket-sharp library.
Google also identified a publicly accessible GitHub repository that contained a Python implementation of a victim-facing STOCKSTAY WebSocket server controller. The report said the server could log a victim IP address but could not decrypt inbound messages, which limits operator visibility and hides details about the infrastructure.
Turla appeared to use the malware at different points in operations, including for initial access and later post-exploitation activity after reconnaissance. In one case in early 2025, a phishing email with a malicious RDP attachment was used to set up a connection to actor-controlled infrastructure, and in November 2025 a Ukraine-focused wave used RAR archives that exploited CVE-2025-8088 in WinRAR.
Other campaigns used MSI installers and RAR files containing HTA scripts, with the downloader fetching the main payload from a compromised WordPress site. Google said the overlaps with Kazuar suggest STOCKSTAY may have been developed in its image, but it assessed that with low confidence.
WHY IT MATTERS
The findings show Turla continues to develop custom tooling that can support both intrusion and follow-on activity. The use of layered components, encrypted links and varied delivery methods can make detection and attribution harder for defenders.