GOOGLE Threat Intelligence Group (GTIG) published an analysis on STOCKSTAY, a .NET backdoor utilized by the Russian cyber espionage group Turla since December 2022. This backdoor targets Ukrainian government and military organizations, displaying code similarities with KAZUAR. It operates through multi-component architecture, including STOCKSTAY.STOCKBROKER for secure communication, STOCKSTAY.STOCKMARKET for task orchestration, and STOCKSTAY.STOCKTRADER for command execution.
The malware disguises as benign applications and has consistently targeted Ukrainian entities, while recent operations also show European targets, leveraging phishing emails and compromised infrastructures. The analysis was detailed through the architecture, command functionalities, operational behaviors, and a timeline of significant developments in STOCKSTAY's deployment and versatility, including its attribute to Turla.