defense · TheHackerNews
Google Threat Intelligence Group has documented a previously unknown .NET backdoor called STOCKSTAY attributed to Russian state-sponsored actor Turla. The malware targets government and military organizations in Ukraine, as well as entities with interests in Italian foreign policy. Development activity dates to December 2022. STOCKSTAY is a multi-component backdoor using Windows Forms and secure WebSocket connections. It consists of four modules: STOCKSTAY.MARKETMAKER (downloader), STOCKSTAY.STOCKBROKER (proxy-aware tunneler), STOCKSTAY.STOCKTRADER (main backdoor enabling information gathering), and STOCKSTAY.STOCKMARKET (orchestrator). The backdoor supports commands including file operations, directory enumeration, screen capture, registry manipulation, process execution, and system information gathering. Google identified a publicly accessible GitHub repository containing a Python implementation of the victim-facing WebSocket server controller.
Defense contractors and government agencies handling classified or controlled unclassified information should monitor for STOCKSTAY indicators, particularly those with operations or partnerships in Eastern Europe or NATO-adjacent regions. The malware's multi-stage delivery via phishing, RAR exploits (CVE-2025-8088), MSI installers, and HTA scripts reflects tactics applicable across regulated sectors. Organizations subject to NIST 800-171 or CMMC requirements should assess their email security, file-handling controls, and endpoint detection capabilities for similar multi-component backdoors. An Omniware engagement can scope detection gaps and post-exploitation response procedures tailored to your threat model.
Source: The Hacker News - https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
Source: TheHackerNews
All briefings