Turla's STOCKSTAY Backdoor: Analysis of Campaigns & WinRAR Exploit
- [01] Immediate impact: Russia-linked Turla APT targets government and military in Ukraine and Europe with the STOCKSTAY cyber espionage backdoor.
- [02] Affected systems: Windows environments susceptible to spear-phishing, malicious RDP files, or WinRAR path traversal (CVE-2025-8088).
- [03] Remediation: Implement robust phishing defenses, patch WinRAR, and deploy advanced detection for Turla's TTPs.
Overview: Turla’s STOCKSTAY Backdoor Targets Critical Sectors
The Russia-linked advanced persistent threat (APT) group Turla, also known as SUMMIT, Secret Blizzard, VENOMOUS BEAR, and UAC-0194, has consistently developed and deployed a .NET backdoor named STOCKSTAY since at least December 2022. This persistent cyber espionage campaign primarily targets government and military organizations in Ukraine, alongside entities with interests in Italian foreign policy. STOCKSTAY demonstrates significant functional and code overlaps with KAZUAR, another sophisticated toolkit attributed to Turla. This activity aligns with Turla’s historical focus on Western Ministries of Foreign Affairs and defense sectors amid heightened geopolitical tensions. Google Threat Intelligence Group (GTIG) attributes Turla to Center 16 of Russia’s Federal Security Service (FSB), as publicly affirmed by CISA, highlighting the nation-state backing behind these operations, according to Google Cloud Blog.
Detailed Analysis of Turla STOCKSTAY Operations and Evolution
STOCKSTAY is a multi-component backdoor written in .NET, leveraging the Windows Forms framework. Its primary method for command and control (C2) communication involves a secure WebSocket connection, utilizing the open-source websocket-sharp library. The malware’s architecture is modular, with distinct components communicating via an inter-process communication (IPC) channel based on WM_COPYDATA messages.
STOCKSTAY Components
- STOCKSTAY.STOCKBROKER: This component, internally referred to as “
net”, functions as a proxy-aware tunneler. It establishes and manages the secure WebSocket connection to the C2 server, acting as a relay for all network communications. This design isolates network activity from other host-based malicious operations. - STOCKSTAY.STOCKMARKET: Known internally as “
cor”, this is the orchestrator of the STOCKSTAY ecosystem. It loads configuration from an encrypted on-disk file, which initially masqueraded as a stock market data tool. Later variants observed in 2025 disguised themselves as PDF viewers or calculator utilities. This component also generates a unique 4096-bit RSA key pair for encrypting outbound data and a unique infection identifier for the C2 server. - STOCKSTAY.STOCKTRADER: Referred to as “
sys”, this is the core backdoor component. It supports a broad range of operations on the infected host, including:- File management: Deleting, enumerating directories (
Dir), retrieving specific files or types (Get), creating directories (MkDir), uploading files (Put), and deleting directories (RmDir). Retrieved files are zipped and Base64-encoded for exfiltration. - System commands: Executing processes (
Run) with configurable timeouts and capturing screenshots (Image). - Registry manipulation: Deleting (
RegDelete), reading (RegRead), and setting (RegWrite) registry values. - System reconnaissance: Gathering extensive system information (
Sysinfo) via Windows Management Instrumentation (WMI), including OS details, hardware specifications, and running processes. - Archive handling: Extracting ZIP files (
UnpackArchive).
- File management: Deleting, enumerating directories (
- STOCKSTAY.MARKETMAKER: A .NET downloader responsible for downloading and extracting additional payloads, establishing persistence via Windows registry modifications (autorun entries), and running silently. It has been observed masquerading as “MicrosoftUpdateOneDrive”. Early versions of this downloader used .NET AppDomainManager injection for initial deployment, as described in MITRE ATT&CK T1574.014.
Turla operators manage STOCKSTAY through a Python-based WebSocket server controller, which maintains a local SQLite3 database for handling messages and logging client IP addresses. This lightweight server often leverages third-party hosting platforms like Render to further obfuscate the actor’s infrastructure.
Operational Characteristics and Deployment Methods
Turla STOCKSTAY operations frequently incorporate academic or diplomatic lure content. Observed activities include compromising Ukrainian university email accounts for phishing, using academic institution names in malicious RDP files, and compromising diplomatic education platforms. Registered phishing domains often include “education” and “diplo”, and MSI files use “DiplomacyEduAI” as a product name.
Persistent Ukrainian targeting is evident, often using compromised in-country government services for payload deployment. European targeting has also been observed, with early development samples appearing in Italy, the Netherlands, Poland, and Germany.
Deployment commonly follows successful phishing attempts via malicious RDP configuration files. These RDP files connect victims to actor-controlled infrastructure, enabling subsequent payload delivery, such as STOCKSTAY.MARKETMAKER.
Turla deploys STOCKSTAY at various stages of its operations:
- Initial Access: In reconnaissance-lacking scenarios, STOCKSTAY is configured with hard-coded passwords, making initial analysis simpler.
- Post-Reconnaissance: After gaining initial access and conducting reconnaissance, later-stage deployments incorporate environmental keying (e.g., hash of target’s hostname, username, or domain) for configuration decryption. This ensures the malware operates only in the intended environment, hindering detection and analysis.
Notably, in November 2025, GTIG identified a new wave of phishing campaigns targeting Ukrainian military personnel with drone-related lures. These campaigns leveraged a path traversal vulnerability in WinRAR, identified as CVE-2025-8088, for the installation of core STOCKSTAY components. This demonstrates the actor’s adaptability in exploiting publicly known vulnerabilities for payload delivery.
Overlaps with KAZUAR and Evolutionary Trends
STOCKSTAY shares significant TTPs and code characteristics with KAZUAR, strongly suggesting a common developer or development team. Key overlaps include:
- K1MORPHER String Obfuscation: Since April 2025, STOCKSTAY has integrated K1MORPHER, a novel string obfuscation mechanism based on the Squirrel3 pseudo-random number generation algorithm. This same obfuscation technique appeared in KAZUAR samples by June 2025, indicating a shared development effort.
- Multi-component Architecture: Similar to KAZUAR’s “BRIDGE”, “KERNEL”, and “WORKER” components, STOCKSTAY’s modular design (STOCKBROKER, STOCKMARKET, STOCKTRADER) reflects a shared architectural approach for C2 communication, task orchestration, and execution.
- Environmental Keying: Both KAZUAR (via the DIAMONDBACK dropper) and STOCKSTAY employ environmental keying to protect payloads and configurations from analysis outside the target environment.
GTIG assesses with moderate confidence that STOCKSTAY is being developed in KAZUAR’s image, leveraging Turla’s extensive experience with its established toolkit. The co-deployment of STOCKSTAY alongside KAZUAR in some operations may indicate the actor’s testing of new capabilities or establishment of fail-safe access.
Actionable Recommendations and Mitigations
Defending against sophisticated APT groups like Turla requires a multi-layered approach focusing on prevention, detection, and response. Organizations, especially those in government, military, and foreign affairs sectors, should prioritize the following:
- Patch Vulnerabilities: Promptly apply security patches, particularly for widely used software like WinRAR. Understanding WinRAR CVE-2025-8088 exploitation and similar vulnerabilities is crucial.
- Enhance Email Security: Deploy advanced email filtering solutions capable of detecting malicious attachments (e.g., RDP files, archives) and sophisticated phishing lures. Implement DMARC, DKIM, and SPF to prevent email spoofing.
- User Awareness Training: Conduct regular security awareness training, focusing on identifying phishing attempts, suspicious attachments, and unusual requests. Users should be educated on the risks of opening unsolicited RDP files.
- Network Segmentation and Monitoring: Implement network segmentation to limit the scope of potential lateral movement. Continuously monitor network traffic for suspicious C2 communications, especially WebSocket connections to unusual or unapproved domains. Pay attention to DNS queries for
onrender.comsubdomains, as noted by Google SecOps. - Endpoint Detection and Response (EDR) Systems: Deploy and maintain EDR solutions to detect and respond to malicious activities at the endpoint level, including registry modifications, process execution anomalies, and file system changes indicative of STOCKSTAY.
- Threat Hunting: Actively hunt for IoCs associated with Turla and STOCKSTAY. Utilize the provided YARA rules to detect STOCKSTAY backdoor components and configuration files. Integrate threat intelligence feeds into your SIEM and SOC operations.
- Multi-Factor Authentication (MFA): Implement MFA for all accounts, particularly for remote access services and critical systems, to prevent unauthorized access even if credentials are compromised via phishing.
- Principle of Least Privilege: Ensure users and applications operate with the minimum necessary permissions to perform their tasks, reducing the impact of successful compromise.
- Regular Backups: Maintain offline, encrypted backups of critical data to facilitate recovery in the event of a successful attack.
Google Security Operations (SecOps) customers benefit from pending rules designed to detect various TTPs employed by STOCKSTAY, including “Archiver Extraction To Windows Startup”, “Registry Write Registry Run Keys”, “Potential RDP File Write From Phishing”, and “Onrender Subdomain Suspicious DNS Query”. The provided YARA rules also offer valuable detection capabilities for analysts.
rule G_Backdoor_STOCKSTAY_ConfigurationFile_2 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects encrypted configuration files associated with STOCKSTAY."
hash = "40a3b969d81ef1ef35dd9ebcc6774e060b1b8949d3d74f38ca6b7d789c95cdb3"
strings:
$s1 = "\"SystemConfiguration\""
$s2 = "An application for getting information about current events on trading platforms"
$s3 = "To set the time for updating information, enter a value in minutes in the `Interval` field"
$s4 = "The `SystemConfiguration` field stores the system settings of the application."
$s5 = "In the `services` field, fill in the list of addresses of services that provide the `WebSocket protocol`."
$s6 = "wss://"
condition:
uint16(0) == 0x227B // {"
and 4 of ($s*)
}
rule G_Backdoor_STOCKSTAY_ConfigurationFile_3 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects early configuration files associated with STOCKSTAY."
hash = "1a2ca8b8e0344fe3d80da7352206a470245443e2349a237bc093df934ddc011f"
strings:
$key_required_1 = "\"List 1\""
$key_required_2 = "\"List 2\""
$key_required_3 = "\"List 3\""
$key_dummy_1 = "\"BinanceApi\""
$key_dummy_2 = "\"CoinbaseCloudApi\""
$key_dummy_3 = "\"CoinbaseCloudApi Sandbox\""
$key_dummy_4 = "\"ByBitApi Spot\""
$key_dummy_5 = "\"ByBitApi Linear\""
$key_dummy_6 = "\"Info level\""
$key_dummy_7 = "\"Rate info\""
$key_dummy_8 = "\"Info level\""
condition:
uint8(0) == 0x7B // {
and filesize > 500
and all of ($key_required_*)
and 3 of ($key_dummy*)
}
rule G_Backdoor_STOCKSTAY_ConfigurationFile_5 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects plaintext configuration files used by the STOCKSTAY malware family."
hash = "6cee9e838792ac5e2098362d68ce93a9a2c095d476dc16b289fe8509c99b2b8b"
strings:
$internal_id_1 = "\"internal_id\""
$internal_id_2 = "\"i_id\""
$internal_key_1 = "\"internal_key\""
$internal_key_2 = "\"i_k\""
$interval_engine_1 = "\"interval_engine\""
$interval_engine_2 = "\"ie\""
$level_info_1 = "\"level_info\""
$level_info_2 = "\"li\""
$time_scale_1 = "\"time_scale\""
$time_scale_2 = "\"ts\""
$span_min_1 = "\"span_min\""
$span_min_2 = "\"mx1\""
$span_max_1 = "\"span_max\""
$span_max_2 = "\"my1\""
$rate_1 = "\"rate\""
$rate_2 = "\"rt_x_y\""
$rate_control_1 = "\"rate_control\""
$service_1 = "\"service\""
$service_2 = "\"srv\""
$days_not_work_1 = "\"days_not_work\""
$days_not_work_2 = "\"dnw\""
$system_properties_1 = "\"system_properties\""
$system_properties_2 = "\"sp\""
condition:
any of ($internal_id*)
and any of ($internal_key*)
and any of ($interval_engine*)
and any of ($level_info*)
and any of ($time_scale*)
and any of ($span_min*)
and any of ($span_max*)
and any of ($rate*)
and any of ($service*)
and any of ($days_not_work*)
and any of ($system_properties*)
}
rule G_Backdoor_STOCKSTAY_CryptoContainer_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects code for parsing crypto containers within STOCKSTAY components."
hash = "82707cfdf24dcb762f4615f01e1ba4d3dfdec4abe9cd588558d2634d7e6a5eeb"
strings:
$s1 = "BuildCryptoContainer"
$s2 = "ParseCryptoContainer"
$s3 = "Windows-1251" wide
$s4 = "AesCryptoServiceProvider"
$s5 = "RSACryptoServiceProvider"
condition:
uint16(0) == 0x5a4d
and all of them
}
rule G_Backdoor_STOCKSTAY_WindowNames_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects STOCKSTAY window names."
hash = "dfd5cb91d06b9649d4cab500343af80ad1144a9e46641cc406f43dd169003c22"
strings:
$import = "_CorExeMain"
$s2 = "SMEditorPage" wide
$s3 = "SMNetPage" wide
$s4 = "StockMarketViewPage" wide
$s5 = "window_system32_x128" wide
$s6 = "window_system32_x64" wide
$s7 = "window_system32_x32" wide
condition:
$import
and any of ($s*)
}
rule G_Downloader_STOCKSTAY_MARKETMAKER_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects STOCKSTAY.MARKETMAKER downloader based on method names and payload filenames."
hash = "da8a96bc74e265f945f1cc6992c6dc0f9ea36ed1991f7b8d312db79d9bf78c40"
strings:
$f1 = "CheckAutoRun"
$f2 = "SetupAutoRun"
$f3 = "DownloadAndExtractZip"
$f4 = "GetSystemProxy"
$s0 = "_CorExeMain"
$s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
$s2 = "StockMarketView.exe" wide
$s3 = "SMNet.exe" wide
$s4 = "SMEditor.exe" wide
condition:
all of them
}
rule G_Controller_STOCKSTAY_STOCKMARKET_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects STOCKSTAY.STOCKMARKET controller based on method and field names, and SQL queries"
hash = "2af7b513c05e76d7da5f75bb0a223c894a706c99ef2c2ddfe4eae542f95a08e0"
strings:
$f1 = "ProtocolMessageConnect"
$f2 = "ProtocolMessageEnd"
$f3 = "ProtocolMessagePing"
$f4 = "ProtocolMessageRequestRecv"
$f5 = "ProtocolMessageRequestSend"
$f6 = "ProtocolMessageTask"
$f7 = "ProtocolMessageTaskSysinfo"
$f8 = "TMR_AppInit_Tick"
$f9 = "TMR_Engine_Tick"
$f10 = "TMR_KeepAlive_Tick"
$f11 = "TMR_PingNet_Tick"
$f12 = "TMR_PingSystem_Tick"
$f13 = "GetDataTrade"
$f14 = "GetDataNews"
$f15 = "InsertDataTrade"
$f16 = "InsertDataNews"
$sql1 = "CREATE TABLE IF NOT EXISTS News (" wide
$sql2 = "CREATE TABLE IF NOT EXISTS Trade (" wide
$sql3 = "CREATE TABLE IF NOT EXISTS Market (" wide
$sql4 = "INSERT INTO Market ( Guid, Version, Config, Status, Launch, Type ) VALUES (@Guid, @Version, @Config, @Status, @Launch, @Type)" wide
$sql5 = "INSERT INTO News (Container) VALUES (@Container)" wide
$sql6 = "INSERT INTO Trade (Container) VALUES (@Container)" wide
condition:
8 of ($f*)
and any of ($sql*)
}
rule G_Tunneler_STOCKSTAY_STOCKBROKER_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects STOCKSTAY.STOCKBROKER tunneler based on known IPC message handler and variable names."
hash = "dfd5cb91d06b9649d4cab500343af80ad1144a9e46641cc406f43dd169003c22"
strings:
$s1 = "_CorExeMain"
$s2 = "ProtocolMessageStatusConnection"
$s3 = "ProtocolMessageResult"
$s4 = "ProtocolMessageEnd"
$s5 = "OnGetDataFromServer"
$s6 = "webSocket"
$s7 = "wmCopyData"
$s8 = "tempStorage"
condition:
all of them
}
rule G_Backdoor_STOCKSTAY_STOCKTRADER_3 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects STOCKSTAY.STOCKTRADER backdoor based on known command handlers and FNV1a hashes."
hash = "82707cfdf24dcb762f4615f01e1ba4d3dfdec4abe9cd588558d2634d7e6a5eeb"
strings:
$cmd_1 = "AppDel"
$cmd_3 = "AppDeleteRegistryValue"
$cmd_4 = "AppDir"
$cmd_5 = "AppGet"
$cmd_6 = "AppMkdir"
$cmd_7 = "AppPut"
$cmd_8 = "AppReadRegistryValue"
$cmd_9 = "AppRegistryKeyExists"
$cmd_10 = "AppRmdir"
$cmd_11 = "AppRun"
$cmd_12 = "AppWriteRegistryValue"
$cmd_13 = "AppUnpackArchive"
$cmd_14 = "ArchiveFiles"
$cmd_15 = "GetFiles"
$cmd_16 = "Sysinfo"
$hash_1 = {ea8e5e34}
$hash_2 = {3445694e}
$hash_3 = {f73e97b6}
$hash_4 = {9aa70c59}
$hash_5 = {18b496c9}
$hash_6 = {0f716ebc}
$hash_7 = {8e2d79ce}
$hash_8 = {3ae2a963}
$hash_9 = {35d26840}
$hash_10 = {6c41d6bc}
$hash_11 = {1fdbbb2f}
$hash_12 = {6ae6578d}
$hash_13 = {66732be7}
$hash_14 = {0b113b3d}
condition:
uint16(0) == 0x5a4d
and (
12 of ($cmd*)
or 10 of ($hash*)
)
}
rule G_Hunting_K1MORPHER_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects plaintext class and method names associated with the .NET class K1.Morpher"
hash = "45bb8d1ab2c13bf4354294e13d3c9be15de625d807301905b98462f43f93e893"
strings:
$plain_api_1 = "Squirrel3"
$plain_api_2 = "DecryptArraySimple"
$plain_api_3 = "DecryptIntSimple"
$plain_api_4 = "DecryptLongSimple"
$plain_api_5 = "DecryptFloatSimple"
$plain_api_6 = "DecryptStringSimple"
$plain_api_7 = "DecryptDoubleSimple"
$plain_api_8 = "_squ_ui1"
$plain_api_9 = "_squ_ui2"
$plain_api_10 = "_squ_ui3"
$plain_api_11 = "InjectedSeedCipher"
condition:
dotnet.is_dotnet
and 5 of ($plain_api*)
}
rule G_Hunting_K1MORPHER_2 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects the Squirrel3 RNG implemented within K1.Morpher"
hash = "45bb8d1ab2c13bf4354294e13d3c9be15de625d807301905b98462f43f93e893"
strings:
$squirrel3_code_1 = {
00 // nop
03 // ldarg.1
0A // stloc.0
06 // ldloc.0
7E ??????04 // ldsfld <token>
5A // mul
0A // stloc.0
06 // ldloc.0
02 // ldarg.0
58 // add
0A // stloc.0
06 // ldloc.0
06 // ldloc.0
1E // ldc.i4.8
64 // shr.un
61 // xor
0A // stloc.0
06 // ldloc.0
7E ??????04 // ldsfld <token>
58 // add
0A // stloc.0
06 // ldloc.0
06 // ldloc.0
1E // ldc.i4.8
62 // shl
61 // xor
0A // stloc.0
06 // ldloc.9
7E ??????04 // ldsfld <token>
5A // mul
0A // stloc.0
06 // ldloc.0
06 // ldloc.0
1E // ldc.i4.8
64 // shr.un
61 // xor
0A // stloc.0
06 // ldloc.0
0B // stloc.1
2B 00 // br.s 40
07 // ldloc.1
2A // ret
}
condition:
dotnet.is_dotnet
and all of them
}
rule G_Hunting_K1MORPHER_3 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects the Squirrel3 RNG implemented within K1.Morpher"
hash = "391e51354118fb87dc57650cbbd94258c3f7c0a0d6868040b7a473ad626ff25e"
strings:
$squirrel3_code_1 = {
03 // ldarg.1
7E??????04 // ldsfld <token>
5A // mul
02 // ldarg.0
58 // add
25 // dup
1E // ldc.i4.8
64 // shr.un
61 // xor
7E??????04 // ldsfld <token>
58 // add
25 // dup
1E // ldc.i4.8
62 // shl
61 // xor
7E??????04 // ldsfld <token>
5A // mul
25 // dup
1E // ldc.i4.8
64 // shr.un
61 // xor
2A // ret
}
condition:
dotnet.is_dotnet
and all of them
} Advertisement