Google Publishes Analysis of Turla's New STOCKSTAY Backdoor in Ukraine Espionage

Another Russia-linked backdoor lands on defenders' desks for review. Google Threat Intelligence Group and Mandiant have detailed STOCKSTAY, a .NET implant Turla has deployed against Ukrainian government and military networks since at least 2022.

Share
Flat white line-art of a partially open hatch, a magnifier, and a document, on a Peacock background — Turla STOCKSTAY backdoor in Ukraine espionage.

Key Takeaways

  • Google Threat Intelligence Group (GTIG) and Mandiant published an analysis of STOCKSTAY, a previously undocumented multi-component .NET backdoor that Russia-linked Turla has continually developed and deployed since at least December 2022, primarily against government and military organizations in Ukraine.
  • STOCKSTAY shares significant code and functional overlap with Kazuar, an established Turla implant, and is delivered through compromised infrastructure and phishing — including malicious RDP-configuration file attachments and, in a late-2025 wave, RAR archives exploiting the WinRAR flaw CVE-2025-8088.
  • For defenders supporting Ukrainian-affiliated or allied-government organizations, the disclosure is a detection-engineering prompt: review the published indicators, harden against the documented delivery surfaces, and treat the Turla nexus as part of the broader Russia-linked espionage picture flagged by Five Eyes agencies.

Another Russia-linked backdoor lands on defenders' desks for review. Google Threat Intelligence Group and Mandiant have detailed STOCKSTAY, a .NET implant Turla has deployed against Ukrainian government and military networks since at least 2022.

RESTON, VIRGINIA — Google Threat Intelligence Group (GTIG) and Mandiant on June 27, 2026 published an analysis of STOCKSTAY, a previously undocumented .NET backdoor attributed to the Russia-linked espionage group Turla. According to the researchers, Turla has continually developed and deployed the implant since at least December 2022, using it primarily against government and military organizations in Ukraine, alongside entities with an interest in Italian foreign policy. The write-up is vendor research aimed at defenders: a documented look at a working tool, the way it is delivered, and the indicators teams can use to look for it.

The disclosure is not a breach story so much as a detection-engineering one. STOCKSTAY shares significant code and functional overlap with Kazuar, a backdoor long associated with Turla, and arrives through compromised infrastructure and phishing rather than a single headline vulnerability. That makes it the latest in a steady run of Russia-linked tooling that lands on defenders' desks for review — close kin to the Kazuar peer-to-peer botnet GTIG described earlier in 2026 — and a reminder that the slow, methodical end of state espionage rarely announces itself loudly.

At a Glance
FieldDetails
Disclosed byGoogle Threat Intelligence Group (GTIG) and Mandiant
BackdoorSTOCKSTAY — multi-component .NET implant
Attributed toTurla (Secret Blizzard / Snake / Venomous Bear; Russia FSB Center 16)
NexusRussia, FSB Center 16
Target regionUkraine (government and military); Italian foreign-policy interests
Defender actionReview published indicators; harden RDP-file and archive delivery surfaces
StatusVendor research published; in continued use since at least December 2022

What Mandiant Disclosed

In its analysis, GTIG described STOCKSTAY as a previously undocumented, multi-component backdoor written in .NET that Turla has continually developed and deployed since at least December 2022. The researchers said the implant has been used primarily against government and military organizations in Ukraine, with additional targeting of entities connected to Italian foreign policy, and that early versions had been observed in operations touching entities in Italy, the Netherlands, Poland, and Germany. Originally disguised as a stock-market application — the lineage behind its tracking name — the malware has more recently masqueraded as legitimate software such as PDF readers and calculator programs.

Technically, GTIG reported that STOCKSTAY separates its functionality across distinct .NET components at runtime, naming a network tunneler (STOCKBROKER), an orchestrator and configuration manager (STOCKMARKET), and a backdoor and task executor (STOCKTRADER). The implant uses the open-source websocket-sharp library to establish a secure WebSocket connection with its command-and-control (C2) infrastructure, and the researchers noted the use of RSA encryption and environmental keying to constrain where and when the code will run. That modular structure, GTIG observed, somewhat resembles Turla's multi-hop Kazuar C2 design.

The overlap with Kazuar is a central thread of the analysis. According to GTIG, STOCKSTAY shares significant code and functional commonalities with Kazuar, a toolkit previously attributed to Turla and in use by the group since 2017. Those similarities, the researchers wrote, raise the possibility that both implants were developed and maintained in part by the same developer or team. Mandiant also said it identified evidence of STOCKSTAY during its review of an incident response tied to a late-2023 compromise of a Ukrainian organization, in which Turla deployed a range of tools — including Kazuar — via malicious group policy installation from a compromised domain controller.

Defender Posture for Ukrainian-Affiliated Organizations

For organizations supporting Ukrainian government or military missions — or allied entities in the foreign-policy space GTIG describes — the practical question is how STOCKSTAY reaches a network in the first place. The researchers reported two recurring delivery patterns. In at least one instance observed in early 2025, Turla used a phishing email carrying a malicious Remote Desktop Protocol (RDP) configuration file attachment that, once opened, set up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads including STOCKSTAY could be staged. That same RDP-file lure has appeared in other Russia-linked campaigns, including the Signal phishing attacks Germany attributed to Russia against members of parliament.

The second pattern is archive-based. GTIG reported that as recently as November 2025, an email phishing wave targeting Ukraine delivered the implant via RAR archives that exploited CVE-2025-8088, a WinRAR vulnerability that Russia-aligned groups have used in Ukraine-focused operations. For defenders, those two surfaces translate into concrete hygiene: treat inbound .rdp configuration files as high-risk attachments worth blocking or quarantining at the mail gateway, confirm that archive-handling software is patched against the WinRAR flaw, and review whether outbound RDP and unexpected WebSocket connections to unfamiliar destinations would generate a reviewable signal.

A distinctive feature of the Ukrainian operations, GTIG noted, is Turla's use of compromised infrastructure — including Ukrainian government services and an IT company's server — to stage and deliver the payload. That choice lets the group blend STOCKSTAY traffic into legitimate local network flows, making detection considerably harder and underscoring why purely reputation-based blocking is insufficient against an actor that operates from trusted-looking hosts. Defenders are better served by behavior-focused detection of the implant's activity than by relying on the staging origin alone.

Detection-Engineering Review per the Published Indicators

GTIG and Mandiant published the analysis as defender-facing research, which makes the natural next step a detection-engineering review rather than an incident scramble. The implant's documented characteristics map onto a handful of hunt and detection opportunities that teams can evaluate against their own telemetry. Because STOCKSTAY communicates over a secure WebSocket connection built on the websocket-sharp library, network and endpoint teams can review whether outbound WebSocket sessions from user endpoints to uncommon external destinations are visible and reviewable, particularly from hosts that have no business initiating them.

The multi-component .NET structure offers further leverage. An implant that splits a tunneler, an orchestrator, and a task executor into separate .NET assemblies — and that has masqueraded as PDF readers and calculator utilities — is a candidate for review of process lineage and of unsigned or oddly named .NET binaries executing from user-writable locations. Mandiant's note that Turla pushed tooling through malicious group policy from a compromised domain controller in the 2023 case is its own detection cue: monitoring for unexpected GPO changes and for software installation originating from domain controllers is a control that pays off well beyond this single implant.

None of this is a substitute for the specific indicators of compromise GTIG published, which defenders should ingest directly from the primary research and match against historical and live telemetry. The point of the engineering review is durability: build detections around the behaviors STOCKSTAY exhibits — anomalous WebSocket C2, RDP-file-initiated connections, archive-delivered payloads, and GPO-driven deployment — so that coverage survives the inevitable next version of the toolkit rather than expiring with one hash.

The Five-Eyes Context on Russia-Linked Activity

STOCKSTAY does not sit in isolation. Turla — also tracked as Secret Blizzard, Snake, and Venomous Bear, and attributed by Western governments to Center 16 of Russia's Federal Security Service (FSB) — is one of the longest-running state espionage operators on record, active since at least 2004. Its tooling is one strand of a Russia-linked threat picture that Five Eyes agencies and allied governments have repeatedly placed near the top of their assessments, alongside the AI-enabled influence and intrusion activity researchers have documented in Russia-aligned operations against Ukraine and the broader frontier-risk concerns set out in the recent Five Eyes statement on frontier AI and cybersecurity.

What distinguishes Turla within that landscape is patience. Where some Russia-aligned activity is loud and disruptive, Turla's documented pattern — quiet implants, code reuse across years, operation from compromised trusted infrastructure, and intelligence collection over destruction — is the methodical end of the spectrum. STOCKSTAY's continuity since 2022, and its overlap with a Kazuar lineage stretching back to 2017, are consistent with a group that invests in long-lived tooling and is content to remain on a network for the long term rather than to make a splash.

For defenders, the value of the Five Eyes framing is prioritization. An organization with any nexus to Ukraine's government, military, or foreign-policy partners — or to the allied states GTIG names — has a concrete reason to weight Turla-style espionage in its threat model, and to treat vendor research like this analysis as actionable intelligence rather than background reading. The recurring delivery surfaces and code lineages mean that hardening against one Turla implant tends to raise the cost of the next.

Open Questions

Several points remain in view as the analysis circulates. GTIG attributed STOCKSTAY to Turla on the strength of code and functional overlap with Kazuar and observed operational tradecraft, and noted that the commonalities raise the possibility of a shared developer or team — a hypothesis the researchers framed as a possibility rather than a settled fact. The full scope of victims is also necessarily partial: vendor visibility captures the intrusions a given team investigated, not the entire campaign, so the count of affected organizations across Ukraine, Italy, and the other named states should be read as a floor rather than a total.

What is well established is enough to act on. A Russia-linked espionage group is using a modular .NET backdoor with secure WebSocket C2, delivered through RDP-file phishing, WinRAR-exploiting archives, and compromised trusted infrastructure, against government and military targets in Ukraine and allied foreign-policy interests. For defenders, that is a clear, indicator-backed prompt: ingest the published indicators, close the documented delivery surfaces, monitor for the implant's distinctive behaviors, and place the activity within the wider Russia-linked picture that Five Eyes agencies continue to flag.


Sources

TypeSource
PrimaryGoogle Cloud Blog / GTIG — The Latest Addition to Turla's Intelligence Gathering Apparatus
ReportingThe Hacker News — Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
ReportingThe Record — Turla group adds more malware to Russia's espionage efforts against Ukraine
BackgroundMITRE ATT&CK — Turla (G0010)
RelatedThe CyberSignal — Kazuar Secret Blizzard Russian Nation-State Botnet
RelatedThe CyberSignal — Five Eyes Frontier AI Cybersecurity Statement