Russia-linked threat group Turla has been quietly expanding its espionage arsenal with a sophisticated .NET backdoor called STOCKSTAY, actively targeting government and military organizations in Ukraine since at least December 2022. Google’s Threat Intelligence Group (GTIG) has published new research detailing the malware’s architecture, evolution, and connections to another Turla toolkit known as KAZUAR — painting a picture of one of the most technically advanced state-backed espionage operations active today.
Who Is Turla?
Turla, also tracked as SUMMIT, Secret Blizzard, and VENOMOUS BEAR, is attributed to Center 16 of Russia’s Federal Security Service (FSB) and has been active since at least 2004. The group has consistently focused on western Ministries of Foreign Affairs, defense organizations, and Ukrainian military entities, reflecting direct alignment with Russian state intelligence interests.
The group’s targets in the STOCKSTAY campaign span multiple countries including Ukraine, Italy, the Netherlands, Poland, and Germany — but Ukraine has been the primary focus, with evidence of targeting Ukrainian government institutions, military personnel, and defense-adjacent organizations.
How STOCKSTAY Works
STOCKSTAY was originally disguised as a stock market data viewing tool, with fake file names and configuration data designed to blend in with everyday software. By 2025, updated variants were found posing as PDF viewers and calculator utilities, demonstrating the group’s continuous adaptation to avoid detection.
The malware runs through three coordinated components:
- STOCKMARKET — orchestrates operations and manages the overall infection chain
- STOCKBROKER — handles network communication via a secure WebSocket connection, making traffic analysis difficult
- STOCKTRADER — executes commands on infected machines, including file collection, registry modifications, and screen capture
One of STOCKSTAY’s most revealing behavioral traits is its operational window: the malware runs only on weekdays between 9 AM and 6 PM local time, deliberately mimicking normal business hours to blend into legitimate network traffic and reduce the risk of detection by security analysts reviewing anomalous off-hours activity.
Compromised Ukrainian Infrastructure Used for Delivery
Turla’s use of compromised Ukrainian infrastructure is one of the most calculated aspects of these operations. The group staged payloads on a website belonging to the State Regulatory Service of Ukraine and on a WordPress server hosted within the country. By routing deliveries through trusted local sources, Turla bypasses security controls that would flag foreign infrastructure.
Initial access relied on phishing with malicious Remote Desktop Protocol (RDP) files. In early 2025, victims received emails posing as a defense training academy. Opening the RDP attachment connected victims to actor-controlled infrastructure, after which Turla deployed the STOCKSTAY.MARKETMAKER downloader, which retrieved the full STOCKSTAY suite from the compromised server.
A later wave in mid-2025 used a compromised diplomatic education platform to lure victims under the guise of accessing an online training portal. Following a November 2025 phishing wave targeting approximately 20 Ukraine-based individuals, GTIG confirmed affected Google account holders were notified via Government Backed Attack Warning notifications.
Connection to KAZUAR and Shared Development
A consistent theme in the GTIG investigation is how closely STOCKSTAY mirrors KAZUAR, Turla’s longer-running espionage toolkit. Both use multi-component architectures, environmental keying to protect configurations, and compromised WordPress sites during operations.
In April 2025, STOCKSTAY adopted a new string obfuscation method based on a pseudo-random algorithm called Squirrel3, originally presented at a game development conference in 2017. GTIG tracks this as K1MORPHER. By June 2025, the same obfuscation code had appeared in KAZUAR samples — strengthening the assessment that both malware families share a common development environment. GTIG assesses with moderate confidence that both tools are likely developed by a shared team working in parallel.
Key Indicators of Compromise
Security teams should check their environments against the following indicators:
- WebSocket C2: wss://wool-basalt-clock.glitch.me/ws (January 2024 Ukraine operation)
- WebSocket C2: wss://weatherdataai.theworkpc.com/ws (April 2025 Ukraine operation)
- WebSocket C2: wss://canal1zac1a.onrender.com/ws (August 2025 operation)
- WebSocket C2: wss://driverx86-adobe.onrender.com/ws (November 2025 phishing wave)
- Download URL: https://www.drs.gov.ua/wp-content/themes/twentytwentyfive/docs.zip (compromised Ukrainian government site)
- File names: MicrosoftUpdateOneDrive.exe, styles.dat.exe, DiplomacyEduAI.msi, StockMarketNews.exe
- GitHub accounts: Roberto1983-ai, ChikenFresh (suspected threat actor accounts)
Defense Recommendations
Organizations in the government, defense, and foreign affairs sectors — particularly those operating in or with connections to Ukraine — should treat this campaign as a high-priority threat. Security teams are urged to check their environments against the full indicators of compromise documented by GTIG, monitor for anomalous WebSocket connections to Render-hosted endpoints, and audit for malicious RDP files arriving via email. Endpoint detection should be configured to flag driver loading events associated with .NET processes exhibiting file collection and registry modification behaviors consistent with STOCKSTAY’s documented tradecraft.