Turla Deploys STOCKSTAY Backdoor Against Ukrainian and Foreign Policy Targets
Google Threat Intelligence Group reported that the Russia-linked Turla espionage group has been using a multi-component .NET backdoor called STOCKSTAY since at least December 2022 to target Ukrainian government and military organizations, as well as entities involved in Italian foreign policy. The malware supports command execution, file theft, registry changes, screen capture, and host reconnaissance, and uses separate modules for orchestration and WebSocket-based command-and-control tunneling. Researchers said STOCKSTAY shares architectural and code similarities with Turla’s KAZUAR toolkit, including the K1MORPHER obfuscation mechanism and environmental keying, indicating the tool is part of Turla’s broader intelligence-gathering arsenal.
The campaign used multiple delivery methods, including malicious RDP files, HTA files, MSI installers, and exploitation of WinRAR path traversal flaw CVE-2025-8088, often paired with academic, diplomatic, or military-themed lures. Google also observed Turla relying on compromised Ukrainian infrastructure, GitHub repositories, and cloud hosting services such as Render and Glitch to stage payloads and run command-and-control infrastructure. The company assessed that STOCKSTAY remains under active development alongside KAZUAR and is used both for initial access and as a persistence or fallback capability during espionage operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
GTIG publishes analysis of Turla's STOCKSTAY malware
On June 1, 2026, Google Threat Intelligence Group published an analysis attributing STOCKSTAY to Turla with high confidence and detailing overlaps with the KAZUAR toolkit, including K1MORPHER obfuscation and environmental keying. The report also described delivery methods such as malicious RDP, HTA, MSI files, and exploitation of WinRAR path traversal CVE-2025-8088, along with use of compromised Ukrainian infrastructure and public hosting services for staging and C2.
Turla begins using STOCKSTAY in operations
Google Threat Intelligence Group reported that the Russia-linked Turla espionage group has used the STOCKSTAY multi-component .NET backdoor since at least December 2022. The malware was used against Ukrainian government and military organizations and entities interested in Italian foreign policy.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations - Cyber Security News
cybersecuritynews.com
Open sourceRussian APT Deploys 'StockStay' Backdoor Against Ukrainian Targets - SecurityWeek
securityweek.com
Open sourceGoogle Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
thehackernews.com
Open sourceTurla group adds more malware to Russia’s espionage efforts against Ukraine | The Record from Recorded Future News
therecord.media
Open sourceNew Turla Stockstay Backdoor Emerges - Decipher
decipher.sc
Open sourceThe Latest Addition to Turla’s Intelligence Gathering Apparatus | Google Cloud Blog
cloud.google.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Turla Deploys Upgraded Kazuar v3 Loader Using COM, ETW, and AMSI Evasion
Researchers reported an upgraded **Turla** *Kazuar v3* loader that uses advanced Windows-native evasion and execution techniques, including heavy use of **Component Object Model (COM)**, *patchless* **Event Tracing for Windows (ETW)** manipulation, and **AMSI** bypass methods. The observed multi-stage chain begins with a VBScript (`8RWRLT.vbs`) that retrieves additional components from attacker infrastructure and stages multiple encrypted Kazuar payloads; analysis indicates the loader can embed execution logic into the Windows COM subsystem to blend into legitimate system activity and increase defender analysis time. Technical reporting tied the activity to infrastructure and tradecraft consistent with prior reporting on **Gamaredon–Turla** operational overlap. The VBScript was observed downloading from `https://185.126.255[.]132` and creating an HP-themed directory structure under `%LOCALAPPDATA%\Programs\HP\...`, then deploying a legitimate Hewlett-Packard installer alongside a malicious DLL for **DLL sideloading**, before decrypting and launching Kazuar payloads. The combination of COM-based execution, ETW/AMSI evasion, and staged encrypted payload delivery indicates a continued focus on stealthy post-compromise tooling rather than opportunistic commodity malware delivery.
Jun 29, 2026
Gamaredon Expanded Ukraine Espionage With New PowerShell Tools and Cloud-Hidden C2
Russia-aligned **Gamaredon** significantly upgraded its cyberespionage operations against Ukrainian government and military organizations during 2025, according to ESET. The group ran **35 spear-phishing campaigns**, introduced **six new PowerShell-based tools**, revived the VBScript weaponizer **PteroSetup**, and exploited **`CVE-2025-8088`** in WinRAR to establish persistence through malicious HTA downloaders placed in Startup folders. ESET said Gamaredon also expanded lateral movement and USB-based propagation, with the newly documented **PteroPaste** able to copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut. The group increasingly concealed command-and-control and data theft behind legitimate services, using **Cloudflare Workers**, **Microsoft dev tunnels**, **Loophole**, DDNS providers, messaging and blogging platforms, paste sites, and cloud storage to mask malicious traffic and stage payloads. Newer malware variants retrieved encrypted C2 data from dead-drop locations such as **Telegram**, **Dropbox**, **GoFile**, and **Mastodon**, while upgraded stealers including **PteroPSDoor** and **PteroVDoor** exfiltrated stolen files to S3-compatible storage such as **Wasabi**, **Tebi**, and **Intercolo**. ESET also observed Gamaredon collaborating with **Turla** in early 2025, providing initial access that supported deployment of the **Kazuar** framework.
Jun 29, 2026
Gamaredon Assisted Turla Intrusions Against Ukrainian Government and Military Targets
Researchers presented evidence that **Gamaredon** directly supported **Turla** operations against high-value Ukrainian organizations, including military and government entities, during incidents observed from February through June 2025. According to the findings, Gamaredon used its own tooling—such as **PteroGraphin** and **PteroOdd**—to deploy Turla’s **Kazuar** backdoor on victim systems, indicating a coordinated intrusion workflow rather than parallel activity by separate actors. The investigation also found at least one case in which Gamaredon helped restore Turla’s access after the latter had apparently lost its foothold, reinforcing the assessment of active operational collaboration between the two Russian state-aligned espionage groups. The reported division of labor had Gamaredon handling spearphishing, rapid access, and persistence, while Turla leveraged the more advanced **Kazuar v2** and **v3** implants to conduct sustained espionage inside contested Ukrainian networks.
Jun 29, 2026