StockStay Backdoor Lets Turla Haunt Ukraine Networks

The StockStay backdoor gives Turla a quiet way to sit inside sensitive Ukrainian networks, collect intelligence, and return without breaking in from scratch each time.

Russia-linked APT Turla has used the malware against government and military organizations in Ukraine, with some earlier activity involving European entities tied to foreign policy interests, according to SecurityWeek. Google Threat Intelligence Group, or GTIG, tracks the tool as StockStay and says Turla has been developing it since 2022.

This is an espionage story, not a ransomware story. No public source here says StockStay was built to encrypt files, extort victims, or cause visible disruption. Its value is quieter: access, commands, collection, persistence, and concealment.

GTIG described STOCKSTAY as a .NET backdoor “continually developed and deployed by the Russia-linked threat actor Turla” since at least December 2022.

Why should the StockStay backdoor campaign against Ukraine worry governments outside the war zone?

Ukraine is the primary target in the reporting, but the StockStay backdoor should get attention well beyond Kyiv.

GTIG says most observed StockStay activity targeted Ukrainian government and military entities, which aligns with Russian interests in the region. The same reporting also says some early activity involved European entities in Italy, the Netherlands, Poland, and Germany, including a foreign affairs ministry, though intended victims for most of those infections were not confirmed.

That mix matters. A tool refined against government and military networks in wartime can become a long-term intelligence asset if it proves reliable. XOOMAR analysis: the most important lesson is not that every government is now a confirmed StockStay target. The source doesn’t show that. The lesson is that Turla is building and iterating a stealthy espionage implant with use cases that fit diplomatic and defense environments.

StockStay’s social engineering also leans into trust-heavy sectors. GTIG observed academia and diplomacy themes, including phishing emails sent from a compromised Ukrainian university email account and a diplomatic education platform. Some backdoor MSI files were named “DiplomacyEduAI”. Some phishing domains contained “education” and “diplo”.

That is not random branding. It points to operators trying to make malicious files look plausible to officials, researchers, or diplomatic staff.

For readers tracking backdoor tradecraft more broadly, XOOMAR has covered other malware cases such as Self-Destructing Mistic Backdoor Hides Ransomware Footholds and Edgecution Malware Hijacks Edge to Open a Backdoor. StockStay sits in a different lane based on the supplied reporting: espionage against state-linked targets, not a publicly described ransomware access chain.

What is Turla, and why does its use of StockStay carry extra weight?

Turla is not a fly-by-night criminal crew chasing quick payments. It is a long-running Russia-linked advanced persistent threat group also known as Krypton, Snake, Summit, UAC-0194, Venomous Bear, and Waterbug.

SecurityWeek reports that Turla has been active since at least 2004. The US officially linked the APT to Russia’s Federal Security Service, or FSB, in 2023. GTIG also connects Turla to a history of espionage tooling, including overlap between StockStay and Kazuar, a known Turla implant that has been around since at least 2015.

That history raises the stakes. When a group with Turla’s profile deploys new malware, defenders should assume patience. The goal is usually not a noisy hit. It is to remain useful inside a target environment for as long as possible.

The public reporting says Turla deployed StockStay at different stages of attacks:

The distinction matters. If a defender treats StockStay only as an initial infection artifact, they may miss cases where it appears after another intrusion path has already succeeded.

How does the StockStay backdoor help spies keep access inside Ukrainian networks?

A backdoor is the part of an intrusion that lets operators come back. The phishing email, malicious RDP file, or exploit may open the door. StockStay is the mechanism that can help keep that door usable.

GTIG describes StockStay as a multi-component .NET backdoor. Early versions masqueraded as a stock market data viewing tool. Later versions posed as PDF viewers and calculator utilities. That disguise matters because it gives the malware a benign cover story on disk and in user-facing contexts.

The architecture is modular:

• StockStay.MarketMaker: a proxy-aware downloader that fetches payloads from a remote server and sets autorun entries.
• StockStay.StockBroker: a proxy-aware tunneler that provides network communication.
• StockStay.StockMarket: an orchestrator that manages configurability through an encrypted on-disk configuration file.
• StockStay.StockTrader: the backdoor component that supports command execution capabilities.

StockStay communicates with command-and-control infrastructure through a secure WebSocket connection using the open source websocket-sharp library. Its components communicate with each other through an inter-process communication channel.

The capabilities are broad enough for intelligence collection. SecurityWeek says StockStay.StockTrader supports file download, exfiltration, modification, folder tampering, screen capture, task processing, registry modification, process execution, and system information harvesting.

That does not prove every capability was used in every intrusion. It does show what the tool is built to support.

The November 2025 case shows the intrusion chain

One concrete GTIG example stands out. In November 2025, Turla sent phishing emails to 20 Ukraine-based targets. Those emails linked to a malicious RAR archive exploiting CVE-2025-8088 to execute StockStay.

That chain is useful for defenders because it separates the pieces:

• Lure: phishing email.
• Delivery: malicious archive.
• Exploit: CVE-2025-8088.
• Foothold: StockStay backdoor.
• Objective: espionage activity, based on GTIG’s assessment.

GTIG also observed delivery through malicious RDP configuration files sent by phishing email. Some were hosted on a compromised diplomatic-themed education platform.

The practical takeaway is narrow but important. Defenders in government, military, diplomatic, and academic-adjacent organizations should not look only for one malware filename. They should examine the whole pattern: education and diplomacy-themed lures, unexpected RDP files, archive-based delivery, WebSocket traffic that doesn’t match normal application behavior, and persistence created by StockStay components.

The next watch item is attribution-driven reuse. If GTIG’s reporting is right, Turla has been developing StockStay since 2022 and changing its disguises over time. That means defenders should expect the packaging to keep shifting, even if the operational logic stays familiar: quiet access first, intelligence collection after.

Impact Analysis

• StockStay gives Turla persistent access to sensitive Ukrainian government and military networks for intelligence collection.
• Early activity tied to European foreign policy entities suggests the risk may extend beyond Ukraine.
• The campaign shows Russia-linked actors are refining stealthy espionage tools rather than relying only on disruptive cyberattacks.