Russian APT Group Deploys StockStay Backdoor in Cyberattack on Ukraine

Post Views: 10

Russian state-sponsored cyber actors have been deploying a novel backdoor named StockStay against Ukrainian government and military entities, according to a report from the Google Threat Intelligence Group (GTIG).

The malicious tool, attributed to the APT Turla threat group, has been actively used in espionage campaigns since 2022.

Description of StockStay

The backdoor, also referred to as Kazuar in some contexts, shares functional similarities with earlier Turla implants dating back to 2015. StockStay is a multi-component .NET-based backdoor designed for long-term surveillance operations. Initially disguised as a stock market data viewer, recent variants have adopted disguises as PDF readers and calculator applications.

Communication and Components

The malware establishes command-and-control (C&C) communication through a secure WebSocket connection utilizing the open-source websocket-sharp library. Internal components interact via an inter-process communication (IPC) channel to coordinate activities.

Deployment Mechanisms

The backdoor’s deployment mechanism involves a proxy-aware network tunneling component called StockStay.StockBroker, which retrieves payloads from a remote server. A configurator module, StockStay.StockMarket, manages the implant’s settings through an encrypted on-disk configuration file. The core execution component, StockStay.StockTrader, enables remote command execution, file manipulation, and data exfiltration.

Targeting and Campaigns

Most observed attacks have targeted Ukrainian government agencies and military infrastructure, aligning with Russian strategic interests in the region. Compromised local systems, including public services, have served as launch points for malware distribution. Early campaigns also affected European entities, particularly in Italy, the Netherlands, Poland, and Germany, though the primary objectives of these infections remain unclear.

Phishing Tactics

Turla’s operations leverage academic and diplomatic themes to facilitate phishing attacks. Attackers have used compromised Ukrainian university email accounts and diplomatic education platforms to distribute malicious content. Phishing domains often include keywords like “education” or “diplo,” while malicious files bear names such as “DiplomacyEduAI.” The group has also deployed StockStay via compromised RDP configuration files delivered through spear-phishing emails hosted on diplomatic-themed platforms.

Notable Incident

The threat actor employs StockStay at multiple stages of its attack lifecycle, including initial compromise, reconnaissance, and lateral movement. In one notable incident in November 2025, Turla sent phishing emails to 20 Ukrainian targets, embedding a malicious RAR archive that exploited the CVE-2025-8088 vulnerability to execute StockStay. GTIG had previously warned about Russian APTs exploiting this flaw in January 2026.

Conclusion

The report highlights the evolving tactics of state-sponsored groups, emphasizing the need for continuous monitoring of proxy-aware malware and zero-day vulnerabilities. The use of legitimate infrastructure for distribution and the integration of AI-driven techniques in phishing campaigns underscore the complexity of modern cyber threats.