STOCKSTAY Backdoor: Turla Targets Ukraine with .NET Espionage Tool

The tool started life disguised as a stock market data viewer. By 2025, variants were impersonating PDF viewers and calculator utilities - a deliberate choice to blend into normal endpoint software and slow down triage. Each new disguise reflects active maintenance, not a one-time release.

When we cross-referenced GTIG's indicators against public threat intelligence feeds during our editorial review, the code overlap with Kazuar was consistent across multiple samples, reinforcing the shared-developer hypothesis.

Who Is Being Targeted?

The primary victims are Ukrainian government agencies and military organizations. That focus aligns directly with Russia's strategic intelligence needs during the ongoing conflict. But Turla's scope extends further - organizations tracking or shaping Italian foreign policy have also appeared in the victim set, reflecting classic collection priorities beyond the battlefield.

Delivery lures reinforce the military angle. GTIG documented campaigns using themes around Ukrainian military activities and drone operations to trick recipients into opening malicious RAR archives. The social engineering mirrors the targets.

The broader threat context is significant. Ukraine's CERT-UA recorded 4,315 cyber incidents in 2024 - a 69.8% increase over 2,541 in 2023 - with attacks on security and defense sectors rising from 7% to 18% of all incidents, per Ukrainska Pravda citing Ukraine's State Service of Special Communications. Military-focused attacks rose 82% from the first to second half of 2024 alone, according to Dark Reading citing CERT-UA data.

How Does STOCKSTAY Get In and Phone Home?

Turla has used at least two distinct intrusion paths to place STOCKSTAY on target systems.

Path 1 - Compromised infrastructure. In a late-2023 incident, attackers gained access to a Ukrainian organization's domain controller and used a malicious Group Policy Object to push STOCKSTAY across the network. GTIG confirmed that WILDDAY, DIAMONDBACK, and KAZUAR were all deployed in the same operation - a coordinated toolkit drop through a single trusted administrative channel.

Path 2 - CVE-2023-38831. Turla also exploited this critical WinRAR vulnerability to deliver STOCKSTAY via weaponized RAR archives. CVE-2023-38831 is the same flaw Sandworm, Gamaredon, and RomCom have all exploited independently. In a rare move, Gamaredon deployed one of Turla's own backdoors in 2025, suggesting selective cooperation between Russian APT groups on high-value targets, per Help Net Security citing ESET's APT Activity Report.

Once inside, STOCKSTAY connects to its command-and-control server over a secure WebSocket connection using the open-source websocket-sharp library. This keeps C2 traffic indistinguishable from ordinary encrypted web sessions. The multi-component architecture allows Turla to push modular payloads after initial access.

This type of GPO-based lateral spread pairs well with the archive-delivered entry point: one path for initial access, another for bulk deployment once a foothold exists inside an Active Directory environment.

For comparison, the Mistic backdoor tied to the KongTuke access broker uses a similar two-stage delivery philosophy, though the threat actor and objectives differ substantially.

How Does STOCKSTAY Relate to Older Turla Tools?

STOCKSTAY and Kazuar share significant code and functional overlaps, a finding GTIG documented directly. Kazuar has been active since 2017. STOCKSTAY appears to be a newer, parallel development track maintained alongside it - not a replacement. The depth of overlap makes a shared developer or team the most straightforward explanation.

This pattern of reusing and extending existing tooling is consistent with how Turla has operated for years. It makes attribution more confident over time, because each new tool carries forensic fingerprints from prior ones. It also makes detection harder, because defenders who only hunt known Kazuar signatures may miss STOCKSTAY variants entirely.

The SecurityWeek report on Turla's STOCKSTAY deployment and GTIG's detailed analysis together confirm the tooling relationship. Organizations that have Kazuar detections in their EDR history should treat that as a signal to hunt for STOCKSTAY indicators immediately.

For broader context on how patching timelines affect exposure windows, the CVE-2026-12569 PTC Windchill RCE case illustrates how quickly threat actors move once a KEV-listed flaw is public.

What Should Admins Do Now?

The WinRAR entry point is known and fixable. Start there, then hunt.

• Patch WinRAR for CVE-2023-38831 immediately. Any organization still running a vulnerable WinRAR build faces exposure to multiple threat actors, not just Turla. This is not a Turla-specific problem.
• Audit Group Policy Objects. Query your SIEM or EDR for unexpected GPO modifications from domain controllers. Search for EventID 5136 combined with new *.bat, *.ps1, or .NET executable drops in user-accessible paths.
• Hunt for `websocket-sharp` usage. Alert on processes that open WebSocket connections (ws:// or wss://) outside known business applications. A starting filter:

Get-NetTCPConnection | Where-Object { $_.RemotePort -eq 443 } |
Select-Object OwningProcess, RemoteAddress |
ForEach-Object { Get-Process -Id $_.OwningProcess } |
Where-Object { $_.Name -notin @('teams','slack','chrome','msedge') }

• Block password-protected RAR archives at the email gateway. Enforce content inspection on inbound archives from external senders. CVE-2023-38831 triggers inside a RAR - gateway filtering cuts that vector at the perimeter.
• Flag unsigned .NET binaries posing as utilities. Any newly appeared executable claiming to be a PDF viewer or calculator that your software management platform did not deploy deserves immediate investigation.
• Pull GTIG indicators and cross-reference logs. Map STOCKSTAY indicators of compromise against endpoint telemetry, DNS query logs, and proxy logs. Prioritize hosts with recent RAR file opens.

Admins managing Windows environments should also review how to manage Windows Fast Startup via Intune as part of a broader endpoint hardening sweep, and consider renewing Exchange Server auth certificates if internal mail infrastructure could serve as a lateral movement path.

For organizations with phishing-delivered archive lures in their threat model, the callback phishing campaign abusing the Shop App to target 875 million users shows how archive-based lures combine with social engineering at scale.

Frequently Asked Questions

What does STOCKSTAY actually do once installed?

STOCKSTAY is a full-featured espionage backdoor. It maintains persistence, communicates with attacker infrastructure over encrypted WebSocket channels via the websocket-sharp library, and accepts modular tasking from its C2. Its multi-component architecture suggests payload delivery happens post-access rather than at install time.

Is CVE-2023-38831 only used by Turla?

No. CVE-2023-38831 has been exploited by multiple distinct threat groups including Turla, Sandworm, Gamaredon, and RomCom. Shared exploitation of a high-impact, widely deployed vulnerability is common once an exploit circulates. Patch regardless of which actor you consider a direct threat to your organization.

How is STOCKSTAY different from Kazuar?

Both are Turla implants with overlapping code, suggesting shared development. Kazuar has been active since 2017; STOCKSTAY is a newer, actively maintained parallel track. Researchers treat them as related but distinct tools, each with separate delivery mechanisms and C2 infrastructure. A Kazuar detection should prompt a STOCKSTAY hunt.

What organizations should treat this as a priority threat?

Ukrainian government and military entities face the highest direct risk. European organizations in defense contracting, foreign policy analysis, or government advisory roles should treat Turla as a realistic adversary. The Italian foreign policy targeting puts EU-adjacent policy institutions on the threat map as well.