Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Russia🇷🇺 RU55 malware familiesExploits CVEs in the wild

Turla

Also known asATG26BELUGASTURGEONBlue PythonGroup 88IRON HUNTERKryptonpensive_ursaSecret BlizzardSnaketurlaturla_aptturla_apt_groupturla_teamUroburosVENOMOUS BEARWaterbugWhiteBearWRAITH

Turla is a Russia-linked, state-sponsored cyber-espionage threat actor widely tracked as Secret Blizzard, Venomous Bear, Snake, Waterbug, Uroburos/Ourobouros, Krypton, Summit, and UAC-0194. Multiple cited sources link Turla to Russia’s Federal Security Service (FSB), and the group is described as one of Russia’s longest-running espionage actors, active since at least 2004. The reporting in the provided content focuses on Turla’s use of the .NET backdoor STOCKSTAY, which Google Threat Intelligence Group assessed has been under development since at least December 2022. STOCKSTAY has been used in espionage operations against government and military organizations in Ukraine and against entities with an interest in Italian foreign policy; early related activity was also observed in Italy, the Netherlands, Poland, and Germany. The malware is a modular Windows Forms-based backdoor using secure WebSocket command-and-control, WM_COPYDATA-based IPC, and components for downloading payloads, tunneling traffic, orchestration, persistence, reconnaissance, file operations, registry manipulation, screen capture, and command execution. Researchers reported significant code and architectural overlap between STOCKSTAY and Turla’s KAZUAR framework, and assessed that STOCKSTAY may be developed in parallel with KAZUAR as a redundant or complementary espionage capability. Observed Turla delivery and intrusion methods in the content include phishing emails with malicious RDP configuration files, MSI installers, HTA-based chains, and RAR archives exploiting CVE-2025-8088. Lures repeatedly used academic, diplomatic, and military themes, including abuse of a compromised Ukrainian university account and a diplomatic education platform. Turla also used compromised in-country Ukrainian infrastructure, GitHub-hosted components, compromised WordPress sites, and third-party hosting platforms such as Render and Glitch to stage payloads and obscure infrastructure. The content also notes Turla’s use of Mshta to launch scripts via HTML Applications, its historical association with the Snake implant, and reporting that it used Amadey infections to deploy custom malware against targets in Ukraine. In early 2025, ESET observed collaboration between Gamaredon and Turla, with Gamaredon providing initial access through its loaders for deployment of Turla’s KAZUAR framework. Separate reporting cited in the content also states that Turla previously compromised or used OilRig infrastructure in operations. Overall, the provided material characterizes Turla as an active Russian espionage actor focused on government, military, diplomatic, and related high-value targets, especially in Ukraine, using modular malware, phishing-based initial access, stealthy infrastructure practices, and overlapping toolsets including STOCKSTAY and KAZUAR.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics58 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1598
Phishing for Information
TA0042
Resource Development
2 techniques
T1586
Compromise Accounts
T1588
Obtain Capabilities
T1588.001
Malware
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1190
Exploit Public-Facing Application
T1566×4
Phishing
T1566.001×3
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
5 techniques
T1059×6
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1059.007
JavaScript
T1203×7
Exploitation for Client Execution
T1204
User Execution
T1204.002
Malicious File
T1559×2
Inter-Process Communication
T1574
Hijack Execution Flow
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1112×4
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1068×9
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
7 techniques
T1027
Obfuscated Files or Information
T1027.013
Encrypted/Encoded File
T1036×4
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.005×2
Mshta
T1574
Hijack Execution Flow
TA0112
Defense Impairment
1 technique
T1112×4
Modify Registry
TA0007
Discovery
5 techniques
T1016
System Network Configuration Discovery
T1057
Process Discovery
T1082×4
System Information Discovery
T1083×4
File and Directory Discovery
T1087
Account Discovery
T1087.002
Domain Account
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001×2
Remote Desktop Protocol
T1570
Lateral Tool Transfer
TA0009
Collection
4 techniques
T1005×2
Data from Local System
T1025
Data from Removable Media
T1113×3
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
5 techniques
T1071×2
Application Layer Protocol
T1071.001×5
Web Protocols
T1090×3
Proxy
T1102
Web Service
T1102.001
Dead Drop Resolver
T1105×6
Ingress Tool Transfer
T1573
Encrypted Channel
T1573.002
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

55 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
KazuarThis architecture somewhat resembles Turla’s multi-hop KAZUAR C2 infrastructure.17Jun 26, 2026
ComRATResearchers at ESET detailed updates to Turla’s ComRAT malware, the heir to the infamous Agent.BTZ malware... Another notable campaign took place in 2008, when Agent.BTZ malware infected U.S. government classified networks via infected removable media. | Researchers at ESET detailed updates to Turla’s ComRAT malware, the heir to the infamous Agent.BTZ malware, which was used to target two Ministries of Foreign Affairs and a national parliament.5May 27, 2026
SnakeKnown historically for its tight ties to Russia’s Federal Security Service (FSB) and its development of the Snake implant, Turla has leveraged STOCKSTAY to target sensitive government and military organizations.5Jun 26, 2026
STOCKSTAYThe Google Threat Intelligence Group has uncovered a .NET backdoor known as STOCKSTAY, which has been a persistent component of the espionage toolkit utilized by the highly active and capable Russia-linked threat actor Turla since at least December 2022.5Jun 26, 2026
AmadeyAmadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information.3Jun 24, 2026

50 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.

CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsIn the wildEvidence8

In one attack in November 2025, Turla sent phishing emails to 20 Ukraine-based targets, linking to a malicious RAR archive exploiting CVE-2025-8088 for the execution of StockStay. In January, GTIG warned that multiple Russian APTs and cybercrime groups had been targeting the WinRAR vulnerability.

CVE-2012-1723Java Applet Field Bytecode Verifier Cache Remote Code Execution in Oracle Java HotSpotIn the wildEvidence2

The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations.

CVE-2013-3346Adobe Reader and Acrobat Memory Corruption RCE/DoSIn the wildEvidence2

CVE-2013-3346 – Arbitrary code-execution vulnerability in Adobe Reader

CVE-2013-5065Local Privilege Escalation in Windows NDProxy.sysIn the wildEvidence2

The attacks are known to have used at least two zero-day exploits: CVE-2013-5065 – Privilege escalation vulnerability in Windows XP and Windows 2003

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

3 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

277 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

277 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
security weekNews
Jun 26, 2026
Russian APT Deploys 'StockStay' Backdoor Against Ukrainian Targets - SecurityWeek

Cyber espionage operations using the StockStay backdoor against Ukrainian government and military organizations, as well as some European entities with interest in Italian foreign policy.

Read more
the hacker newsNews
Jun 26, 2026
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

Conducting cyber espionage operations using the STOCKSTAY .NET backdoor and Kazuar-related tooling against government and military targets, including operations in Ukraine and entities tied to Italian foreign policy.

Read more
the record mediaNews
Jun 26, 2026
Russia used social engineering to breach prominent messaging accounts, Ukraine says | The Record from Recorded Future News

Referenced as a Russian espionage group involved in operations against Ukraine.

Read more
the record mediaNews
Jun 26, 2026
Turla group adds more malware to Russia’s espionage efforts against Ukraine | The Record from Recorded Future News

Cyber-espionage operations using the StockStay malware to spy on Ukrainian government and military organizations, as well as entities of interest across Europe. The group is also described as investing in redundant, parallel malware ecosystems for persistent access.

Read more
+191 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal55

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs8

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables277

Domains, IPs, and hashes tied to this actor, refreshed continuously.