THE identified malware, STOCKSTAY, is linked to the Russian threat actor Turla, primarily targeting Ukrainian military and Italian diplomatic entities. It utilizes spear-phishing emails with malicious RDP files and WinRAR exploits (CVE-2025-8088) for delivery. STOCKSTAY features advanced capabilities including file theft and secure communication via WebSockets, employing a multi-component architecture.
The malware establishes persistence through a downloader called MARKETMAKER and manages command-and-control operations disguised as legitimate applications, like PDF viewers. It utilizes an encrypted channel to exfiltrate data, offering extensive administrative functions to attackers. Organizations are advised to patch vulnerabilities, monitor network traffic for unusual WebSocket connections, restrict RDP access, and implement strong security measures against phishing attacks.