The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.

Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with Kazuar, a staple implant put to use by the adversary since 2017. Suspected development activity of malware dates back to December 2022.

“STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library,” GTIG said.

“STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of WM_COPYDATA messages.”

Evidence indicates that the implant was originally designed to mimic a stock market data viewing tool, before being adapted to masquerade as other harmless programs like PDF viewers and calculator utilities. The starting point is a downloader component codenamed STOCKSTAY.MARKETMAKER that installs and executes three additional modules –

  • STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that facilitates network communication capabilities to the wider STOCKSTAY suite by establishing a secure WebSocket connection to a specified remote server.
  • STOCKSTAY.STOCKTRADER, the main backdoor that enables information gathering.
  • STOCKSTAY.STOCKMARKET, an orchestrator or controller that parses the backdoor’s configuration to set several options regarding the malware’s execution, such as the WebSocket server, time interval, and the days it’s not supposed to work. It also communicates with STOCKSTAY.STOCKBROKER to provide the server details and receive messages via the established WebSocket connection, as well as STOCKSTAY.STOCKTRADER to issue commands to be run on the compromised host.
STOCKSTAY malware architecture

Some of the support commands of STOCKSTAY.STOCKTRADER is listed below –

  • Del, to delete the specified files
  • Dir, to enumerate the specified directories
  • Get, to fetch one or more specified files matching certain extensions
  • MkDir, to make one or more directories
  • RmDir, to delete the specified directories
  • Image, to perform a screen capture of the device’s screen
  • MultyTask, to run a semi-colon-separated list of tasks at once
  • Put, to upload a file to the device
  • RegRead, to read a Windows Registry value
  • RegDelete, to delete a Windows Registry value
  • RegWrite, to set a Windows Registry value
  • Run, to execute a new process
  • Sysinfo, to gather system information
  • UnpackArchive, to extract the specified ZIP file to its current directory

Google said it identified a publicly accessible GitHub…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: June 26, 2026