Turla's STOCKSTAY Backdoor Has Targeted Ukraine…

Google Threat Intelligence Group disclosed STOCKSTAY, a multi-component backdoor from the Turla APT active since December 2022 against Ukrainian government and military targets, sharing architecture and code with the group's long-standing Kazuar toolkit.

Google Threat Intelligence Group (GTIG) published a technical analysis of STOCKSTAY on June 25, 2026, revealing a multi-component backdoor developed by the Turla APT for cyber-espionage against Ukrainian government and military organizations. The malware has been in active development since December 2022 and shares architecture and code portions with Kazuar, the group's historical toolkit. The disclosure documents a "parallel redundancy" strategy: Turla does not abandon Kazuar but keeps both ecosystems active to ensure persistence even if one is discovered and removed.

Key Takeaways

STOCKSTAY is a .NET backdoor with a four-component modular architecture (MARKETMAKER, STOCKBROKER, STOCKTRADER, STOCKMARKET) communicating via WM_COPYDATA
The malware generates a 4096-bit RSA key on first launch to encrypt C2 WebSocket communications, making interception by platform operators impossible
Primary targeting is Ukrainian government and military, with early versions found in Italy, the Netherlands, Poland, and Germany, including a foreign ministry
Google assesses with low confidence that parallel deployment with Kazuar serves to test new capabilities where existing access risks remediation

An Access Factory: The Four-Component Architecture

STOCKSTAY is not a single executable but a distributed ecosystem where each module has a specialized function. MARKETMAKER acts as the initial downloader; STOCKBROKER serves as a proxy-aware tunneler; STOCKTRADER is the main backdoor with remote execution capabilities; STOCKMARKET is the orchestrator coordinating the flows. The four elements interact through WM_COPYDATA messages, a native Windows Inter-Process Communication mechanism that enables data exchange between windows without resorting to named pipes or network sockets. The technical choice is significant. WM_COPYDATA is less monitored than standard network communications and allows the malware to operate entirely in user-mode, reducing its footprint on endpoint detection systems. The use of the Windows Forms framework for the visual interface, combined with the open-source websocket-sharp library for the C2 channel, indicates a design oriented toward mimicry: STOCKSTAY can present itself as a legitimate application without raising obvious behavioral anomalies. The WebSocket channel is encrypted with 4096-bit RSA, a key length that GTIG documents as dynamically generated on STOCKMARKET's first launch. The public key is transmitted to the C2 server; the private key remains on the compromised machine. This asymmetry has a concrete effect: even if an analyst intercepts traffic or compromises a C2 infrastructure node, they cannot decrypt inbound messages. The controller server possesses only the victim's public key. According to GTIG, "the inability for the server to decrypt inbound messages prevents introspection by platform operators, and further obfuscates the location of the threat actor's dedicated infrastructure". ="initial-access-from-malicious-rdp-to-github-repository">Initial Access: From Malicious RDP to GitHub Repository The initial access vector spans multiple fronts, all documented by GTIG with analyzed samples. Phishing emails carry RDP (Remote Desktop Protocol) attachments that, when opened, establish connections to attacker-controlled servers. RAR archives exploit CVE-2025-8088, a WinRAR vulnerability with a CVSS 8.8 HIGH score per NVD, allowing arbitrary code execution upon opening seemingly innocuous files. The severity was sufficient for Turla to run a November 2025 campaign targeting approximately twenty Ukrainian targets. Other deliveries occur via MSI installers, one of which was hosted on GitHub in a public repository named 'ChikenFresh/google-ai-labs-it'. GTIG identified a Python implementation of the WebSocket controller server in this repository, functionally linked to the malware but without direct attribution to the actor. Turla has also compromised legitimate WordPress instances to host ZIP archives containing STOCKSTAY's core components. The group has refined its lure strategy over time. The oldest samples, dating to 2022-2023, disguised themselves as stock data visualization tools — hence the "STOCK" name root. Starting in 2025, GTIG observed variants impersonating PDF viewers and calculators. The delivery theme shifted to academic and diplomatic content: emails originating from a compromised Ukrainian university account and a breached diplomatic education platform. This evolution reflects deep knowledge of the target context: recipients are more likely to open apparently institutional documents than generic attachments.

"The group appears to be investing in redundant, parallel malware ecosystems to ensure persistent access even when individual tools are discovered and remediated" — Google to Recorded Future News

="kazuar-s-twin-parallel-evolution-not-replacement">Kazuar's Twin: Parallel Evolution, Not Replacement The relationship between STOCKSTAY and Kazuar is the core of GTIG's analysis. Kazuar is a toolkit associated with Turla since 2017, known for its versatility and longevity. STOCKSTAY reproduces both code portions and architectural choices: GTIG speaks explicitly of "significant code and functional overlaps" and development "in KAZUAR's image." However, the differences are equally relevant. Kazuar is a mature framework, extensively analyzed by the threat intelligence community; STOCKSTAY is a more recent construction, with separate components and a C2 channel based on WebSocket rather than traditional HTTP/HTTPS connections. Google observed STOCKSTAY deployed for both initial access and post-exploitation in environments already compromised by Kazuar. This cohabitation is not accidental. GTIG assesses with low confidence that Turla is testing STOCKSTAY in scenarios where existing Kazuar access risks remediation. The operational logic is redundancy: not relying on a single toolkit but maintaining alternative pipelines ready for activation. The model has immediate defensive implications. The discovery of Kazuar in a network no longer guarantees, by itself, the attacker's complete expulsion. Turla may have already planted STOCKSTAY or be able to activate it in response to the first toolkit's removal. This "operational maturity," to use GTIG's term, separates top-tier APT groups from those merely reusing existing tools. ="the-european-horizon-early-samples-and-foreign-ministries">The European Horizon: Early Samples and Foreign Ministries While primary targeting is Ukrainian, STOCKSTAY's timeline includes a significant European chapter. Initial versions of the backdoor, identified from December 2023 on VirusTotal with separate components, were employed against entities in Italy, the Netherlands, Poland, and Germany. Among these, GTIG documents a foreign ministry — without specifying the country — hit by one of the malware's earliest variants. This European phase, dated 2023, precedes the consolidation of Ukrainian targeting and may reflect a testing phase or preliminary collection of strategic accesses. GTIG does not attribute conflicts between different sources on this point but leaves the geopolitical significance open: Turla was gathering European diplomatic intelligence while building infrastructure for more intensive operations in Ukraine. ="operational-guidance">Operational Guidance Operational recommendations derive directly from the patterns documented by GTIG. The multi-vector delivery nature requires extended filtering: RDP files must not be treated as innocuous remote configuration documents but as potential execution vectors. The same attention applies to RAR archives, especially in environments where WinRAR may not yet be patched for CVE-2025-8088. The compromise of legitimate infrastructure — universities, diplomatic platforms, WordPress sites, GitHub repositories — invalidates an approach based solely on sender domain reputation. Filtering must consider specific content and behavioral context, not just apparent provenance. STOCKSTAY's encrypted configuration, with unique per-machine identifiers, indicates the actor knows the target before delivery: receipt of unexpectedly targeted communications, even from known institutional senders, warrants out-of-band verification. Finally, the documented cohabitation with Kazuar requires extending post-compromise investigations beyond the first identified toolkit. Kazuar's removal must be considered a waypoint, not a conclusion. ="the-lesson-of-parallel-redundancy">The Lesson of Parallel Redundancy STOCKSTAY is not an isolated novelty but an indicator of how top-tier APTs are structuring their operations. Turla has invested over three years — from December 2022 to 2026 — building a twin ecosystem to an already functioning one, with dedicated development resources and separate C2 infrastructures. The opportunity cost is high; the choice to sustain it indicates a strategic assessment: the loss of a toolkit, however sophisticated, must not interrupt access to priority intelligence targets. For government and defense organizations, the message is that threat intelligence can no longer focus on static indicators of compromise. The STOCKSTAY-Kazuar overlap requires monitoring based on behaviors and architectural patterns, not just hash signatures. Turla has demonstrated willingness to rebuild from scratch to maintain access. The defensive challenge is measuring up against an adversary that considers its malware's discovery an acceptable cost, not a defeat.

Information verified against cited sources and current as of publication.

Sources

Sources and references