STOCKSTAY
STOCKSTAY is a previously undocumented multi-component Windows backdoor written in .NET/Windows Forms and attributed by Google Threat Intelligence Group with high confidence to the Russian state-sponsored threat actor Turla (also referenced as SUMMIT/Secret Blizzard/Venomous Bear/UAC-0194). It has reportedly been under development since at least December 2022 and has been used in cyber espionage operations primarily targeting Ukrainian government and military organizations, as well as entities with an interest in Italian foreign policy; earlier activity also affected targets in Italy, the Netherlands, Poland, and Germany, including at least one foreign affairs ministry. GTIG reported notable code, architectural, and functional overlap with Turla’s Kazuar implant, and assessed with moderate confidence that STOCKSTAY and Kazuar may be maintained in part by a common developer or team.
STOCKSTAY uses secure WebSocket-based command-and-control via the websocket-sharp library and local inter-process communication based on WM_COPYDATA messages. Early variants masqueraded as a stock market data viewing tool, while later iterations impersonated benign utilities such as PDF viewers and calculator applications. The malware family includes modular components: STOCKSTAY.MARKETMAKER, a proxy-aware downloader that installs components and establishes persistence through Windows registry autorun entries; STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that relays secure WebSocket C2 traffic; STOCKSTAY.STOCKMARKET, an orchestration/configuration component that decrypts an encrypted on-disk configuration file containing C2 and execution settings and, in reported analysis, generates a unique 4096-bit RSA key pair and infection identifier on first execution; and STOCKSTAY.STOCKTRADER, the main backdoor component. Reported STOCKSTAY capabilities include downloading, exfiltrating, modifying, retrieving, uploading, and deleting files; directory enumeration, creation, and removal; screen capture; task and process execution; registry read/write/delete; ZIP extraction; folder tampering; and system information harvesting.
Observed delivery and deployment methods include phishing campaigns using academic, diplomatic, military, and drone-operation themes; malicious RDP configuration files sent by email; MSI installers, including samples hosted on GitHub; RAR archives containing HTA scripts; and a November 2025 phishing wave against approximately 20 Ukraine-based targets exploiting WinRAR path traversal vulnerability CVE-2025-8088 to install STOCKSTAY. GTIG also reported use of compromised Ukrainian infrastructure, including government services, a compromised Ukrainian university email account, a compromised diplomatic education platform, compromised WordPress sites, and phishing domains containing strings such as "education" and "diplo." STOCKSTAY has been observed both as an initial access payload and during post-exploitation, including a January 2024 Ukrainian intrusion where Turla deployed WILDDAY, DIAMONDBACK, KAZUAR, and STOCKSTAY via malicious GPO installation from a compromised domain controller.
High-confidence infrastructure and indicators directly mentioned in the content include the WebSocket C2 URLs wss://wool-basalt-clock.glitch.me/ws and wss://weatherdataai.theworkpc.com/ws, a public GitHub repository identified as ChikenFresh/google-ai-labs-it containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller, the SQLite database name weather_data1.db used by that controller, and an MSI sample named Copia.msi. GTIG also reported phishing artifacts including MSI files named DiplomacyEduAI.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been exploited by a number of Russian hacking groups such as Sandworm, Gamaredon, and RomCom. | The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
Turla (SUMMIT) delivering the STOCKSTAY malware suite using Ukrainian army themes.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
StockStay operations rely on academia and diplomacy themes: phishing emails sent from a compromised Ukrainian university email account and diplomatic education platform...
Execution
5 techniques
Execution
The backdoor component, named StockStay.StockTrader, supports various command execution capabilities...
In one attack in November 2025, Turla sent phishing emails to 20 Ukraine-based targets, linking to a malicious RAR archive exploiting CVE-2025-8088 for the execution of StockStay.
GTIG also observed Turla deploying the backdoor via malicious RDP configuration files delivered via phishing emails.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
An encrypted on-disk configuration file contains various options regarding malware execution.
A multi-component backdoor written in .NET, StockStay initially masqueraded as a stock market data viewing tool, but recent iterations pose as PDF viewers and calculator utilities.
Del Delete the specified files... RmDir Delete the specified directories...
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
The RDP files were designed to create a connection from the victim’s device to actor-controlled infrastructure, through which the actor could then deploy subsequent payloads.
GTIG conducted a review... in which we observed Turla deploying a wide range of tools into the victim’s network... via malicious GPO installation from a compromised domain controller... Multiple ZIP archives, each containing one of the core components of STOCKSTAY or its configuration, were uploaded to the domain controller.
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A multi-component .NET backdoor used for cyber espionage. It masquerades as benign utilities, uses secure WebSocket C2, supports modular components for downloading payloads, tunneling communications, orchestration, and command execution including file exfiltration, screen capture, registry modification, process execution, and system information harvesting.
A multi-component .NET Windows backdoor used for cyber espionage. It uses secure WebSocket C2 communications and includes modules for downloading/installing components, tunneling network traffic, orchestrating execution, gathering system information, file operations, registry manipulation, screen capture, and command execution.
Malware delivered via malicious RAR archives exploiting CVE-2025-8088 as an initial access vector (further functionality not specified in the content).
Malware suite delivered by Turla using WinRAR CVE-2025-8088 with Ukraine-themed lures; leverages Startup-folder placement for execution at next login.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.