ON June 26 2026 Google disclosed details of a new .NET backdoor named STOCKSTAY that the Turla espionage group has been using against Ukrainian targets. The revelation came from a blog post on The Hacker News which described how the malware enhances Turla’s ability to conduct intelligence gathering. The disclosure highlights the continued threat posed by state‑sponsored actors in the region. Google disclosed details of the campaign.
STOCKSTAY is a .NET based backdoor first observed in December 2022 and consists of three distinct modules. The STOCKSTAY.STOCKBROKER component handles encrypted communication with command and control servers using a custom protocol. STOCKSTAY.STOCKMARKET manages task scheduling and receives instructions from the operators. STOCKSTAY.STOCKTRADER executes the received commands on the compromised host, allowing file system manipulation, credential harvesting and arbitrary code execution. No CVE identifier has been assigned to this malware family. Google Threat Intelligence Group analysis provides a deep dive into its architecture.
Infection typically begins with spear phishing emails that contain malicious attachments or links designed to drop a loader onto the victim’s machine. The loader then unpacks and installs the three STOCKSTAY modules while masquerading as legitimate software to bypass endpoint defences. The malware employs custom encryption for its command and control traffic, making network based detection more challenging. Persistence is achieved through registry modifications and scheduled tasks that survive reboots.
Turla has a long history of targeting governmental and diplomatic entities across Eastern Europe, and the STOCKSTAY campaign shows a clear focus on Ukrainian government and military organisations. Recent activity also indicates occasional spill over into European NATO members, suggesting a broader intelligence collection effort. By adding a .NET based backdoor to its toolkit, Turla gains flexibility and the ability to evade defences that are tuned to its older malware families such as Kazuar and Rocket Kitten.
Google’s Threat Intelligence Group observed active use of STOCKSTAY throughout the first half of 2026, with multiple victims reporting credential theft and exfiltration of sensitive documents. The timing of these intrusions aligns with heightened regional tensions and demonstrates Turla’s commitment to refining its capabilities. The group’s operational security includes frequent changes to command and control domains and the use of compromised legitimate websites for hosting payloads.
Defenders should enable detailed logging for .NET process creation and monitor for unusual child processes spawned from common Office applications. Blocking macros in documents and restricting the execution of unsigned binaries reduces the likelihood of successful initial infection. Deploying network signatures that match the specific HTTP user‑agent strings used by STOCKSTAY.STOCKBROKER can help identify command and control traffic. Sharing indicators of compromise with trusted peers and keeping threat intelligence feeds up to date strengthens collective defence against this persistent threat.