Russian Turla APT Deploys StockStay Backdoor in Ukraine Espionage Campaign

Russian state-sponsored threat actor Turla has deployed a previously undocumented .NET backdoor called StockStay against Ukrainian government and military organizations, according to a new report from Google Threat Intelligence Group (GTIG). The group, also known as Krypton, Snake, and Venomous Bear, has been active since at least 2004 and was officially linked to Russia's Federal Security Service (FSB) in 2023.

GTIG reports that Turla has been developing StockStay since 2022, and the backdoor shows code and functionality overlap with Kazuar, a known Turla implant that has been in use since at least 2015. The backdoor initially masqueraded as a stock market data viewing tool, but recent iterations pose as PDF viewers and calculator utilities.

Technical Details and Infection Vectors

StockStay is a multi-component .NET backdoor that relies on a secure WebSocket connection for command-and-control (C&C) communication, using the open source websocket-sharp library. Its components communicate via an inter-process communication (IPC) channel. The malware includes several modules:

• StockStay.MarketMaker, a proxy-aware downloader that runs in the background and sets up autorun entries to execute core backdoor components.
• StockStay.StockBroker, a proxy-aware tunneler that provides network communication.
• StockStay.StockMarket, an orchestrator that enables configurability via an encrypted on-disk configuration file.
• StockStay.StockTrader, the backdoor component that supports file download/exfiltration, screen capture, task processing, registry modification, process execution, and system information harvesting.

Turla has deployed StockStay through phishing emails sent from a compromised Ukrainian university email account and a diplomatic-themed education platform. The emails used filenames containing academic institution names, phishing domains with 'education' and 'diplo' in their names, and backdoor MSI files named 'DiplomacyEduAI'. In one November 2025 attack, Turla sent phishing emails to 20 Ukraine-based targets, linking to a RAR archive that exploited CVE-2025-8088 to execute StockStay.

Broader Espionage Campaign and Implications

While most StockStay activity has targeted Ukrainian government and military entities, GTIG also observed infections in Italy, the Netherlands, Poland, and Germany, including a foreign affairs ministry. The intended victims for those European attacks have not been confirmed. Separately, Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling to Russia and Belarus. The finding, published June 25, 2026, by The Hacker News, relied on traces left on the phone and official Russian documentation. These incidents underscore the persistent and evolving nature of Russian cyber espionage, targeting both military and civilian infrastructure. GTIG warns that Turla continues to refine StockStay, and organizations should monitor for phishing campaigns using academic and diplomatic themes.