STOCKSTAY Another Day: The Lat... Note

STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus

Google Threat Intelligence Group has detailed STOCKSTAY, a .NET backdoor actively developed by the Russia-linked Turla group since late 2022. Turla has deployed STOCKSTAY primarily against Ukrainian government and military entities, as well as organizations interested in Italian foreign policy, for cyber espionage. This backdoor exhibits significant code and functionality overlaps with Turla's previously known KAZUAR toolkit. Turla is a long-standing cyber espionage actor, with suspected activity dating back to 2004, and has been linked to Russia's FSB. STOCKSTAY is a multi-component backdoor that communicates with its command and control (C2) server using secure WebSockets, facilitated by the websocket-sharp library. Initially designed to mimic a stock market data viewer, STOCKSTAY has evolved to impersonate other benign applications like PDF viewers and calculators. The malware comprises distinct components: STOCKSTAY.STOCKBROKER for network communication, STOCKSTAY.STOCKMARKET as the orchestrator responsible for configuration and C2 messaging, and STOCKSTAY.STOCKTRADER for executing commands on the infected host. STOCKSTAY.STOCKTRADER supports a range of operations including file and registry manipulation, command execution, and system information gathering. A related downloader component, STOCKSTAY.MARKETMAKER, has been observed masquerading as legitimate software to establish persistence. The analysis provides a timeline of observations and examines STOCKSTAY's similarities to KAZUAR, contextualizing its role within Turla's evolving toolset.
CdXz5zHNQW_ezln4WcZu8.png