Turla Deploys STOCKSTAY .NET Backdoor Against Ukrainian Government Targets

STOCKSTAY.MARKETMAKER downloader installs STOCKSTAY.STOCKBROKER for proxy-aware tunneling, STOCKSTAY.STOCKTRADER for file, registry, and screen capture commands, and STOCKSTAY.STOCKMARKET as orchestrator managing configuration and execution schedules. The architecture deliberately mimics stock viewers or PDF tools before shifting to academic and diplomatic lures. Public GitHub repository ChikenFresh/google-ai-labs-it hosted a Python WebSocket controller that logs victim IPs without decrypting traffic, matching Turla's multi-hop Kazuar patterns observed since 2017.

Procurement records and prior Turla campaigns show consistent focus on Ukrainian defense ministries and NATO-adjacent foreign policy entities in Italy, Poland, and Germany. Code reuse and 2022 development timeline indicate iterative refinement rather than novel capability, with phishing emails containing malicious RDP configurations as the observed delivery vector in early 2025 incidents.

The GitHub exposure and lack of server-side decryption reveal operational tradecraft prioritizing C2 location obfuscation over platform resilience. This aligns with documented supply-chain and cloud-adjacent targeting by Russian actors, where initial access is traded or reused across multiple implants.

Defenders should prioritize monitoring for websocket-sharp binaries and WM_COPYDATA IPC patterns on air-gapped adjacent systems. Expect continued adaptation of STOCKSTAY modules against diplomatic entities through at least mid-2026.