ON 26 June 2026, Google revealed that the Russia‑linked Turla APT has been using a new .NET backdoor called StockStay against Ukrainian government and military targets.
According to SecurityWeek, StockStay has been under development since 2022 and masquerades as legitimate software while communicating over encrypted WebSockets for command and control. The malware bundles a downloader and a tunneler that enable file manipulation, system information gathering and the execution of arbitrary commands. No CVE has been assigned to this capability.
The Hacker News outlet notes that the backdoor is typically delivered through phishing messages that leverage compromised academic accounts, a tactic Turla has reused in earlier operations. Once installed, StockStay creates a covert channel that blends with ordinary web traffic, complicating detection efforts.
This activity fits Turla’s broader espionage focus on Eastern Europe, with recent intrusions also affecting Italian organisations. Analysts say the tool shows the group’s willingness to invest in bespoke malware even when public frameworks are readily available.
Defenders should examine endpoint logs for unsigned .NET assemblies and watch for outbound WebSocket connections to unknown destinations. Blocking the indicators shared in the Google advisory and strengthening phishing awareness, particularly around academic‑themed lures, can lower the chance of a successful initial compromise.
Furthermore, applying network segmentation and enforcing strict application control reduces the lateral movement possible with tools like StockStay, while regular patching and vigilant logging of PowerShell and CMD activity assist in spotting any post‑exploitation behaviour.