STOCKSTAY
STOCKSTAY is a .NET Windows backdoor attributed by Google Threat Intelligence Group with high confidence to the Russia-linked espionage actor Turla, also known as SUMMIT, Secret Blizzard, VENOMOUS BEAR, and UAC-0194. It has been under development since at least December 2022 and has been used in cyber espionage operations primarily against Ukrainian government, defense, and military organizations, as well as entities with an interest in Italian foreign policy; early activity was also observed in Italy, the Netherlands, Poland, and Germany. Researchers reported significant code, functional, and architectural overlap with Turla’s KAZUAR framework, and assessed that STOCKSTAY may be developed in parallel with or by some of the same developers as KAZUAR.
STOCKSTAY is a multi-component backdoor written in .NET using the Windows Forms framework. Reported components include STOCKSTAY.MARKETMAKER, a downloader that installs additional modules and can establish persistence via Windows registry autorun entries; STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that establishes secure WebSocket command-and-control; STOCKSTAY.STOCKMARKET, an orchestrator that parses and decrypts configuration and manages C2 logic; and STOCKSTAY.STOCKTRADER, the main operational backdoor component that executes tasks on the host. Internal component communication uses an IPC channel based on WM_COPYDATA messages. The malware uses the websocket-sharp library for WebSocket communications, generates a unique 4096-bit RSA key pair and infection identifier on first execution, and encrypts task responses before transmission. Reported capabilities include filesystem manipulation, directory enumeration, file retrieval and exfiltration, file upload, directory creation and removal, ZIP extraction, registry read/write/delete, process and command execution, system information gathering, screen capture, and general reconnaissance.
Observed delivery and infection vectors include phishing emails with malicious RDP configuration files that connect victims to attacker-controlled infrastructure for follow-on deployment, MSI installers, HTA-based chains, malicious RAR archives, and a November 2025 campaign exploiting WinRAR vulnerability CVE-2025-8088. Lures were consistently themed around academia, diplomacy, Ukrainian military activity, and drone operations. Researchers also observed use of compromised Ukrainian infrastructure, compromised WordPress sites, GitHub-hosted payloads or tooling, and third-party hosting platforms such as Render and Glitch to support staging and C2 operations. Early variants masqueraded as stock market software, while later variants posed as benign PDF viewers and calculator utilities. Reported C2 indicators include wss://wool-basalt-clock.glitch.me/ws and wss://weatherdataai.theworkpc.com/ws.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been exploited by a number of Russian hacking groups such as Sandworm, Gamaredon, and RomCom. | The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Google Threat Intelligence Group has uncovered a .NET backdoor known as STOCKSTAY, which has been a persistent component of the espionage toolkit utilized by the highly active and capable Russia-linked threat actor Turla since at least December 2022.
Turla (SUMMIT) delivering the STOCKSTAY malware suite using Ukrainian army themes.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Researchers said Turla repeatedly used academic and diplomatic themes to lure victims. In one campaign, the attackers sent phishing emails from a compromised account belonging to a Ukrainian university. In another, they abused a diplomatic education platform to distribute malicious emails and files.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
Victims were typically infected through phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files that connected compromised computers to infrastructure controlled by the attackers, allowing them to deploy additional malware.
Execution
5 techniques
Execution
This backdoor component handles the actual execution of malicious tasks, supporting a wide range of filesystem, registry, and command execution operations on the infected host.
In one attack in November 2025, Turla sent phishing emails to 20 Ukraine-based targets, linking to a malicious RAR archive exploiting CVE-2025-8088 for the execution of StockStay.
GTIG also observed Turla deploying the backdoor via malicious RDP configuration files delivered via phishing emails.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
An encrypted on-disk configuration file contains various options regarding malware execution.
Throughout its operational lifecycle, STOCKSTAY has demonstrated a persistent focus on evasion through disguise. While early versions of the malware were explicitly styled as stock market data viewing utilities... researchers have identified newer variants that adapt to masquerade as benign PDF viewers and calculator applications.
Del Delete the specified files... RmDir Delete the specified directories...
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
Victims were typically infected through phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files that connected compromised computers to infrastructure controlled by the attackers, allowing them to deploy additional malware.
GTIG conducted a review... in which we observed Turla deploying a wide range of tools into the victim’s network... via malicious GPO installation from a compromised domain controller... Multiple ZIP archives, each containing one of the core components of STOCKSTAY or its configuration, were uploaded to the domain controller.
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
Central to its operations is the STOCKSTAY.STOCKMARKET component, which serves as the primary orchestrator, managing command-and-control logic over secure WebSocket connections using the open-source websocket-sharp library.
Network communication is provided through StockStay.StockBroker, a proxy-aware tunneler...
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A multi-component .NET backdoor used for cyber espionage. It masquerades as benign utilities, uses secure WebSocket C2, supports modular components for downloading payloads, tunneling communications, orchestration, and command execution including file exfiltration, screen capture, registry modification, process execution, and system information harvesting.
A multi-component .NET Windows backdoor used for cyber espionage. It uses secure WebSocket C2 communications and includes modules for downloading/installing components, tunneling network traffic, orchestrating execution, gathering system information, file operations, registry manipulation, screen capture, and command execution.
A Russian state-backed cyber-espionage malware strain used by Turla to spy on Ukrainian government and military/defense organizations and other entities of interest in Europe. It evolved from posing as a stock market application to masquerading as PDF readers and calculator programs, and was delivered via phishing emails containing malicious RDP configuration files to enable follow-on malware deployment and persistent access.
A modular .NET-based backdoor used by Turla for espionage. It uses Windows Forms components, WM_COPYDATA-based inter-process communication, secure WebSocket C2, RSA key generation for encrypted task responses, and supports reconnaissance, filesystem, registry, and command execution operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.