Russia-linked threat group Turla has been quietly expanding its espionage arsenal with a new backdoor called STOCKSTAY, actively targeting government and military organizations in Ukraine since at least December 2022.
The malware is built in .NET and communicates with operators through a secure WebSocket connection, making it difficult to detect within normal network traffic. Evidence points to a well-organized, state-backed campaign tied directly to Russian intelligence.
STOCKSTAY was originally disguised as a stock market data viewing tool, with fake file names and configuration data designed to blend in with everyday software.
By 2025, updated variants were found posing as PDF viewers and calculator utilities, showing how the group continuously adapts.
Turla has consistently focused on western Ministries of Foreign Affairs, defense organizations, and Ukrainian military entities, reflecting alignment with Russian state interests.
Analysts at Google Threat Intelligence Group (GTIG) identified and documented the malware in a report shared with Cyber Security News (CSN), providing a detailed breakdown of its components, timeline, and overlaps with another Turla toolkit known as KAZUAR.
Turla, also tracked as SUMMIT, Secret Blizzard, and VENOMOUS BEAR, is attributed to Center 16 of Russia’s Federal Security Service and has been active since at least 2004.
The malware has been deployed across multiple countries, including Ukraine, Italy, the Netherlands, Poland, and Germany.
In Ukraine, Turla used compromised infrastructure, including government services and an IT company’s server, to stage and deliver the payload. This lets the group blend into local network traffic, making detection considerably harder.
Following a November 2025 phishing wave targeting around 20 Ukraine-based individuals, GTIG confirmed affected Google account holders were notified via Government Backed Attack Warning notifications.
That campaign used malicious RAR archives exploiting a WinRAR path traversal flaw tracked as CVE-2025-8088. Security teams are urged to check their environments against the indicators of compromise listed below.
Russia-Linked Turla Uses Compromised Infrastructure
Turla’s use of compromised Ukrainian infrastructure is one of the most calculated aspects of these operations.
The group staged payloads on a website belonging to the State Regulatory Service of Ukraine and on a WordPress server hosted within the country. Using trusted local sources to deliver malware bypasses controls that would flag foreign infrastructure.
Initial access relied on phishing with malicious Remote Desktop Protocol files. In early 2025, victims received emails posing as a defense training academy, and opening the RDP attachment connected them to actor-controlled infrastructure.
Turla then deployed the STOCKSTAY.MARKETMAKER downloader, which retrieved the full STOCKSTAY suite from the compromised server.
A later wave in mid-2025 used a compromised diplomatic education platform to draw in victims under the guise of accessing an online training portal.
STOCKSTAY runs through three coordinated components. STOCKMARKET orchestrates operations, STOCKBROKER handles network communication over WebSocket, and STOCKTRADER executes commands on infected machines, including file collection, registry modifications, and screen capture.
The malware runs only on weekdays between 9 AM and 6 PM, deliberately matching business hours to avoid detection.
STOCKSTAY’s Evolving Obfuscation and Connection to KAZUAR
A consistent theme in this investigation is how closely STOCKSTAY mirrors KAZUAR, Turla’s longer-running espionage toolkit.
Both use multi-component architectures, environmental keying to protect configurations, and compromised WordPress sites during operations.
GTIG assesses with moderate confidence that both tools are likely developed by a shared team working in parallel.
In April 2025, STOCKSTAY adopted a new string obfuscation method based on a pseudo-random algorithm called Squirrel3, originally presented at a game development conference in 2017.
GTIG tracks this as K1MORPHER. By June 2025, the same code had appeared in KAZUAR samples, strengthening the case that both families share a common development environment.
The group used a GitHub account to host server-side controller code for STOCKSTAY’s command-and-control, linking it to a platform called Render for WebSocket hosting.
This setup makes it difficult for operators to inspect encrypted traffic while obscuring the group’s dedicated infrastructure. Turla’s ongoing refinement of STOCKSTAY confirms its status as one of the most technically advanced espionage actors today.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL (WebSocket C2) | wss://wool-basalt-clock.glitch.me/ws | STOCKSTAY WebSocket C2 (January 2024 Ukraine operation) |
| URL (WebSocket C2) | wss://weatherdataai.theworkpc.com/ws | STOCKSTAY WebSocket C2 (April 2025 Ukraine operation) |
| URL (WebSocket C2) | wss://canal1zac1a.onrender.com/ws | STOCKSTAY WebSocket C2 (August 2025 / GitHub test MSIs) |
| URL (WebSocket C2) | wss://driverx86-adobe.onrender.com/ws | STOCKSTAY WebSocket C2 (November 2025 phishing wave) |
| URL (WebSocket C2) | wss://google-ai-labs-it.onrender.com/ws | STOCKSTAY WebSocket C2 (November 2025 / ChikenFresh GitHub) |
| URL (Download) | https://www.drs.gov.ua/wp-content/themes/twentytwentyfive/docs.zip | ZIP hosting STOCKSTAY components on compromised Ukrainian government site |
| URL (Download) | https://basecon.com.ua/calculator.rar | RAR archive containing STOCKSTAY components on compromised Ukrainian server |
| URL (Download) | https://online.zp.ua/wp-content/uploads/Tools/EditorToolsPdf.zip | ZIP containing STOCKSTAY components on compromised WordPress server |
| URL (Decoy / Lure) | https://circoloesteri.elezioni.idnet.it/adelection/riepilogo.php | Italian-language election lure URL used in February 2024 Italy operation |
| File Hash (SHA-256) | d1e54270433a94a… | websocket-sharp.dll — actor-compiled open-source library used by STOCKSTAY |
| File Hash (SHA-256) | f04f43b6f7c2d86… | server.py — Python STOCKSTAY C2 controller (ChikenFresh GitHub) |
| File Hash (SHA-256) | 7615140f78d9a0c… | models.py — Database table definitions for STOCKSTAY C2 server |
| File Hash (SHA-256) | b55f3b8a7334af0… | wtools.py — Utility functions for STOCKSTAY C2 server |
| File Name | MicrosoftUpdateOneDrive.exe | STOCKSTAY.MARKETMAKER downloader (April 2025 Ukraine operation) |
| File Name | styles.dat.exe | STOCKSTAY.MARKETMAKER downloader (August 2025 Ukraine operation) |
| File Name | calculator.rar | RAR archive containing HTA lure and STOCKSTAY components |
| File Name | Калькулятор грошового забезпечення військовослужбовців 2025.hta | Ukrainian HTA lure (“Military personnel cash benefit calculator 2025.hta”) |
| File Name | EditorToolsPdf.zip | ZIP archive containing STOCKSTAY components (August 2025 operation) |
| File Name | DiplomacyEduAI.msi | MSI files containing STOCKSTAY components (GitHub test accounts) |
| File Name | Copia.msi | MSI containing STOCKSTAY components (February 2024 Italy operation) |
| File Name | DriversPrinterGraphic.rar | Early STOCKSTAY RAR archive (September 2023, Germany) |
| File Name | apps_libwallets_v1.3.rar | STOCKSTAY RAR archive (December 2023, Netherlands) |
| File Name | StockMarketNews.exe | Early combined STOCKSTAY executable |
| File Name | StockMarketView.exe / ViewPdf.exe | STOCKSTAY.STOCKMARKET orchestrator (various operations) |
| File Name | StockMarketNet.exe / SMNet.exe / ClientMNGR.exe / MSDriver.exe | STOCKSTAY.STOCKBROKER tunneler (various operations) |
| File Name | StockMarketSystem.exe / SMEditor.exe / ConverterDDSNet.exe / MSRender.exe | STOCKSTAY.STOCKTRADER backdoor (various operations) |
| File Name | ClientMNGR2.exe / GR3.exe | STOCKSTAY.STOCKBROKER tunneler obfuscated with K1MORPHER (May 2025, Poland) |
| File Name | ms-lib-math-core.dll | Shared STOCKSTAY core module (November 2025 operation) |
| File Name | ms-api-win-render.dll | Module containing STOCKSTAY backdoor command handlers |
| File Name | ms-api-wmcpdt.dll | Module containing STOCKSTAY IPC logic |
| File Name | weather_data1.db | SQLite3 database used by STOCKSTAY server-side controller |
| GitHub Account | Roberto1983-ai | Suspected threat actor GitHub account hosting STOCKSTAY MSI test files |
| GitHub Account | ChikenFresh | Suspected threat actor GitHub account hosting STOCKSTAY C2 server code |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
