RUSSIA-LINKED APT Turla, also known as Krypton or Snake, is targeting Ukrainian government and military organizations with a new backdoor named StockStay. This .NET-based backdoor, under development since 2022, has been used for espionage activities, particularly against Ukrainian and Italian interests. StockStay masquerades as legitimate applications and uses secure WebSocket communication for command and control.
It features components such as a downloader and a tunneler for remote interactions and executes various commands including file manipulation and system information gathering. The group has also leveraged phishing tactics using compromised academic accounts to deploy this malware.