Russia's Turla, one of the world's oldest and stealthiest state-sponsored hacking groups, has been quietly running a custom espionage backdoor against Ukrainian government and military targets for more than three years, according to new research from the Google Threat Intelligence Group (GTIG). The tool, which GTIG calls STOCKSTAY, is built to sit silently on a victim's computer and feed stolen data back to its operators while disguising itself as ordinary stock-market or office software.
Turla (also tracked as Secret Blizzard and Venomous Bear) has been publicly tied by US authorities to Center 16 of Russia's Federal Security Service, the FSB. GTIG says STOCKSTAY has been in continuous development since at least December 2022 and has been used against government and military organizations in Ukraine, as well as against entities interested in Italian foreign policy.
What STOCKSTAY does
STOCKSTAY is a modular .NET backdoor, meaning it is split into separate components that talk to each other on the infected machine so that no single piece looks too suspicious. One component handles all the network traffic, opening an encrypted WebSocket channel to the attackers' server and relaying commands, while another orchestrates the implant and reads an encrypted configuration file from disk.
That config file is a notable piece of tradecraft. It pretends to hold settings for a legitimate cryptocurrency-tracking app, complete with real exchange addresses for Binance, Coinbase, and Bybit and plausible field descriptions, while the actual attacker instructions sit encrypted inside a decoy field. GTIG also found newer 2025 variants masquerading as PDF viewers and calculator utilities rather than the original stock-ticker disguise.
Researchers note that STOCKSTAY shares significant code and design with KAZUAR, an earlier and well-documented Turla toolkit, suggesting the same development shop is steadily expanding its arsenal.
How victims get infected
Some of the delivery has leaned on a since-patched WinRAR flaw, tracked as CVE-2025-8088, the same archive-handling bug Russia-aligned crews have repeatedly turned against Ukrainian targets. Staged payloads were hosted on compromised Ukrainian websites, including a government domain.
This is the same FSB-linked operation behind earlier intrusions we have covered, from Turla's ISP-level interception of foreign embassies in Moscow to the broader pattern of Russia-aligned groups exploiting the WinRAR bug against Ukraine. A full profile of the group is on our Turla threat-actor page.
What you should do
There is no single patch for an espionage implant like this, but defenders can close the main entry points: update WinRAR to a version that fixes CVE-2025-8088, treat unexpected archive attachments with suspicion, and hunt for the indicators below. Watch in particular for processes opening outbound WebSocket connections that masquerade as crypto-exchange traffic.
Indicators of compromise
- SHA-256: d1e54270433a94aa3d45d888e4c62299bee3480eb2cb4a5489c7dda69d476c3e
- SHA-256: e6d8192960a89d5480868b94088cccdaa1560f9c8a0b0282ced2b7c1f72341b6
- Staging URL: hxxps://www[.]drs[.]gov[.]ua/wp-content/themes/twentytwentyfive/docs[.]zip
- Staging URL: hxxps://basecon[.]com[.]ua/calculator[.]rar
Google's researchers, led by Jordan Jones, published the full STOCKSTAY analysis in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.