← Back to blog

STOCKSTAY: Turla's Modular Backdoor Hiding in Plain Sight

turlasecret-blizzardrussiaespionagestockstaykazuarukrainecve-2025-8088winrarthreat-intelligence
STOCKSTAY: Turla's Modular Backdoor Hiding in Plain Sight

Our team at Google Threat Intelligence Group (GTIG) just published new research on STOCKSTAY, a multi-component .NET backdoor we attribute with high confidence to the Russia-nexus espionage actor Turla (aka Secret Blizzard, FSB Center 16).

STOCKSTAY hides in plain sight, disguised as everyday software like a stock market viewer, a PDF viewer, even a calculator, while running modular espionage tooling underneath. Here is what stands out:

  • Attribution: High confidence, based on code overlaps with Turla’s proprietary KAZUAR toolkit and deployment alongside known Turla malware on shared C2 infrastructure.
  • Targeting: A heavy focus on Ukrainian government and military, plus European Ministries of Foreign Affairs. In November 2025 the actor baited Ukrainian military personnel with a fake “UAV Report” decoy detailing drone availability and crew status.
  • Modular by design: STOCKSTAY splits into a tunneler, an orchestrator, and a backdoor that communicate locally and beacon over WebSocket C2, abusing legitimate developer platforms like Render and GitHub to host and hide their infrastructure.
  • Initial Access: Spear-phishing with malicious RDP files and RAR archives exploiting CVE-2025-8088, the WinRAR path traversal vulnerability.

This is classic Turla. A long-running espionage group using a modular backdoor built to blend into trusted infrastructure for intelligence collection. Environmental keying means payloads only decrypt on the intended target, and execution is restricted to business hours to look like normal activity.

For defenders:

Originally posted on LinkedIn