Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets
The Russian-linked APT group Turla has been deploying a .NET backdoor named StockStay against Ukrainian government and military targets for espionage purposes. StockStay masquerades as legitimate applications and uses secure WebSocket communications for command-and-control. It supports extensive capabilities including file operations, screen capture, and system information gathering. The malware has also targeted entities related to Italian foreign policy and has been delivered via phishing emails and malicious RDP configuration files. The backdoor has been observed since 2022 and shows code overlap with previous Turla implants. Attacks have leveraged compromised Ukrainian infrastructure and exploited vulnerabilities such as CVE-2025-8088. The campaign aligns with Russian geopolitical interests in the region.
AI Analysis
Technical Summary
Turla, a Russia-linked APT group active since at least 2004 and officially tied to Russia’s FSB, has developed and deployed a multi-component .NET backdoor called StockStay since 2022. StockStay uses secure WebSocket connections via the websocket-sharp library for C2 communication and includes components for downloading payloads, tunneling network traffic, and orchestrating malware execution. It masquerades as stock market tools, PDF viewers, or calculator utilities. The backdoor supports commands for file download, exfiltration, modification, screen capture, registry changes, process execution, and system information harvesting. Deployment methods include phishing emails with malicious RDP files and exploitation of CVE-2025-8088. The primary targets are Ukrainian government and military organizations, with some activity against European entities linked to foreign policy interests. The malware campaign uses themes related to academia and diplomacy for social engineering and has leveraged compromised local infrastructure for deployment.
Potential Impact
StockStay enables persistent cyber espionage by allowing attackers to execute arbitrary commands, exfiltrate data, capture screens, modify system settings, and maintain covert access within targeted Ukrainian government and military networks. The backdoor’s use of secure WebSocket communication and proxy-aware tunneling complicates detection and network defense. The exploitation of a known vulnerability (CVE-2025-8088) and use of phishing with malicious RDP files increase the risk of initial compromise. The campaign supports Russian intelligence objectives by targeting sensitive governmental and military information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for phishing attempts leveraging academic and diplomatic themes, scrutinize RDP configuration files received via email, and apply security controls to detect exploitation of CVE-2025-8088. Since no official fix or patch information is provided, defensive measures should focus on user awareness, network monitoring for unusual WebSocket traffic, and restricting unauthorized RDP access. Incident response teams should investigate any signs of StockStay components or related activity within their environments.
Affected Countries
Ukraine, Italy, Netherlands, Poland, Germany
Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets
Description
The Russian-linked APT group Turla has been deploying a .NET backdoor named StockStay against Ukrainian government and military targets for espionage purposes. StockStay masquerades as legitimate applications and uses secure WebSocket communications for command-and-control. It supports extensive capabilities including file operations, screen capture, and system information gathering. The malware has also targeted entities related to Italian foreign policy and has been delivered via phishing emails and malicious RDP configuration files. The backdoor has been observed since 2022 and shows code overlap with previous Turla implants. Attacks have leveraged compromised Ukrainian infrastructure and exploited vulnerabilities such as CVE-2025-8088. The campaign aligns with Russian geopolitical interests in the region.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Turla, a Russia-linked APT group active since at least 2004 and officially tied to Russia’s FSB, has developed and deployed a multi-component .NET backdoor called StockStay since 2022. StockStay uses secure WebSocket connections via the websocket-sharp library for C2 communication and includes components for downloading payloads, tunneling network traffic, and orchestrating malware execution. It masquerades as stock market tools, PDF viewers, or calculator utilities. The backdoor supports commands for file download, exfiltration, modification, screen capture, registry changes, process execution, and system information harvesting. Deployment methods include phishing emails with malicious RDP files and exploitation of CVE-2025-8088. The primary targets are Ukrainian government and military organizations, with some activity against European entities linked to foreign policy interests. The malware campaign uses themes related to academia and diplomacy for social engineering and has leveraged compromised local infrastructure for deployment.
Potential Impact
StockStay enables persistent cyber espionage by allowing attackers to execute arbitrary commands, exfiltrate data, capture screens, modify system settings, and maintain covert access within targeted Ukrainian government and military networks. The backdoor’s use of secure WebSocket communication and proxy-aware tunneling complicates detection and network defense. The exploitation of a known vulnerability (CVE-2025-8088) and use of phishing with malicious RDP files increase the risk of initial compromise. The campaign supports Russian intelligence objectives by targeting sensitive governmental and military information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for phishing attempts leveraging academic and diplomatic themes, scrutinize RDP configuration files received via email, and apply security controls to detect exploitation of CVE-2025-8088. Since no official fix or patch information is provided, defensive measures should focus on user awareness, network monitoring for unusual WebSocket traffic, and restricting unauthorized RDP access. Incident response teams should investigate any signs of StockStay components or related activity within their environments.
Affected Countries
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/russian-apt-deploys-stockstay-backdoor-against-ukrainian-targets/","fetched":true,"fetchedAt":"2026-06-26T09:01:06.037Z","wordCount":1186}
Threat ID: 6a3e3fd24853345fc1923273
Added to database: 06/26/2026, 09:01:06 UTC
Last enriched: 06/26/2026, 09:01:16 UTC
Last updated: 06/26/2026, 12:03:32 UTC
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.