Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations

HomeCyber Security News Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations By Tushar Subhra Dutta June 29, 2026 Russia-linked threat group Turla has been quietly expanding its espionage arsenal with a new backdoor called STOCKSTAY, actively targeting government and military organizations in Ukraine since at least December 2022. The malware is built in .NET and communicates with operators through a secure WebSocket connection, making it difficult to detect within normal network traffic. Evidence points to a well-organized, state-backed campaign tied directly to Russian intelligence. STOCKSTAY was originally disguised as a stock market data viewing tool, with fake file names and configuration data designed to blend in with everyday software. By 2025, updated variants were found posing as PDF viewers and calculator utilities, showing how the group continuously adapts. Turla has consistently focused on western Ministries of Foreign Affairs, defense organizations, and Ukrainian military entities, reflecting alignment with Russian state interests. Overview of STOCKSTAY malware architecture (Source – Google Cloud) Analysts at Google Threat Intelligence Group (GTIG) identified and documented the malware in a report shared with Cyber Security News (CSN), providing a detailed breakdown of its components, timeline, and overlaps with another Turla toolkit known as KAZUAR. Turla, also tracked as SUMMIT, Secret Blizzard, and VENOMOUS BEAR, is attributed to Center 16 of Russia’s Federal Security Service and has been active since at least 2004. The malware has been deployed across multiple countries, including Ukraine, Italy, the Netherlands, Poland, and Germany. In Ukraine, Turla used compromised infrastructure, including government services and an IT company’s server, to stage and deliver the payload. This lets the group blend into local network traffic, making detection considerably harder. Following a November 2025 phishing wave targeting around 20 Ukraine-based individuals, GTIG confirmed affected Google account holders were notified via Government Backed Attack Warning notifications. That campaign used malicious RAR archives exploiting a WinRAR path traversal flaw tracked as CVE-2025-8088. Security teams are urged to check their environments against the indicators of compromise listed below. Russia-Linked Turla Uses Compromised Infrastructure Turla’s use of compromised Ukrainian infrastructure is one of the most calculated aspects of these operations. The group staged payloads on a website belonging to the State Regulatory Service of Ukraine and on a WordPress server hosted within the country. Using trusted local sources to deliver malware bypasses controls that would flag foreign infrastructure. Initial access relied on phishing with malicious Remote Desktop Protocol files. In early 2025, victims received emails posing as a defense training academy, and opening the RDP attachment connected them to actor-controlled infrastructure. Overview of STOCKSTAY C2 Infrastructure (Source – Tencent) Turla then deployed the STOCKSTAY.MARKETMAKER downloader, which retrieved the full STOCKSTAY suite from the compromised server. A later wave in mid-2025 used a compromised diplomatic education platform to draw in victims under the guise of accessing an online training portal. STOCKSTAY runs through three coordinated components. STOCKMARKET orchestrates operations, STOCKBROKER handles network communication over WebSocket, and STOCKTRADER executes commands on infected machines, including file collection, registry modifications, and screen capture. The malware runs only on weekdays between 9 AM and 6 PM, deliberately matching business hours to avoid detection. STOCKSTAY’s Evolving Obfuscation and Connection to KAZUAR A consistent theme in this investigation is how closely STOCKSTAY mirrors KAZUAR, Turla’s longer-running espionage toolkit. Both use multi-component architectures, environmental keying to protect configurations, and compromised WordPress sites during operations. GTIG assesses with moderate confidence that both tools are likely developed by a shared team working in parallel. In April 2025, STOCKSTAY adopted a new string obfuscation method based on a pseudo-random algorithm called Squirrel3, originally presented at a game development conference in 2017. Timeline of STOCKSTAY observations (Source – Google Cloud) GTIG tracks this as K1MORPHER. By June 2025, the same code had appeared in KAZUAR samples, strengthening the case that both families share a common development environment. The group used a GitHub account to host server-side controller code for STOCKSTAY’s command-and-control, linking it to a platform called Render for WebSocket hosting. This setup makes it difficult for operators to inspect encrypted traffic while obscuring the group’s dedicated infrastructure. Turla’s ongoing refinement of STOCKSTAY confirms its status as one of the most technically advanced espionage actors today. Indicators of Compromise (IoCs):- Type Indicator Description URL (WebSocket C2) wss://wool-basalt-clock.glitch.me/ws STOCKSTAY WebSocket C2 (January 2024 Ukraine operation) URL (WebSocket C2) wss://weatherdataai.theworkpc.com/ws STOCKSTAY WebSocket C2 (April 2025 Ukraine operation) URL (WebSocket C2) wss://canal1zac1a.onrender.com/ws STOCKSTAY WebSocket C2 (August 2025 / GitHub test MSIs) URL (WebSocket C2) wss://driverx86-adobe.onrender.com/ws STOCKSTAY WebSocket C2 (November 2025 phishing wave) URL (WebSocket C2) wss://google-ai-labs-it.onrender.com/ws STOCKSTAY WebSocket C2 (November 2025 / ChikenFresh GitHub) URL (Download) https://www.drs.gov.ua/wp-content/themes/twentytwentyfive/docs.zip ZIP hosting STOCKSTAY components on compromised Ukrainian government site URL (Download) https://basecon.com.ua/calculator.rar RAR archive containing STOCKSTAY components on compromised Ukrainian server URL (Download) https://online.zp.ua/wp-content/uploads/Tools/EditorToolsPdf.zip ZIP containing STOCKSTAY components on compromised WordPress server URL (Decoy / Lure) https://circoloesteri.elezioni.idnet.it/adelection/riepilogo.php Italian-language election lure URL used in February 2024 Italy operation File Hash (SHA-256) d1e54270433a94a… websocket-sharp.dll — actor-compiled open-source library used by STOCKSTAY File Hash (SHA-256) f04f43b6f7c2d86… server.py — Python STOCKSTAY C2 controller (ChikenFresh GitHub) File Hash (SHA-256) 7615140f78d9a0c… models.py — Database table definitions for STOCKSTAY C2 server File Hash (SHA-256) b55f3b8a7334af0… wtools.py — Utility functions for STOCKSTAY C2 server File Name MicrosoftUpdateOneDrive.exe STOCKSTAY.MARKETMAKER downloader (April 2025 Ukraine operation) File Name styles.dat.exe STOCKSTAY.MARKETMAKER downloader (August 2025 Ukraine operation) File Name calculator.rar RAR archive containing HTA lure and STOCKSTAY components File Name Калькулятор грошового забезпечення військовослужбовців 2025.hta Ukrainian HTA lure (“Military personnel cash benefit calculator 2025.hta”) File Name EditorToolsPdf.zip ZIP archive containing STOCKSTAY components (August 2025 operation) File Name DiplomacyEduAI.msi MSI files containing STOCKSTAY components (GitHub test accounts) File Name Copia.msi MSI containing STOCKSTAY components (February 2024 Italy operation) File Name DriversPrinterGraphic.rar Early STOCKSTAY RAR archive (September 2023, Germany) File Name apps_libwallets_v1.3.rar STOCKSTAY RAR archive (December 2023, Netherlands) File Name StockMarketNews.exe Early combined STOCKSTAY executable File Name StockMarketView.exe / ViewPdf.exe STOCKSTAY.STOCKMARKET orchestrator (various operations) File Name StockMarketNet.exe / SMNet.exe / ClientMNGR.exe / MSDriver.exe STOCKSTAY.STOCKBROKER tunneler (various operations) File Name StockMarketSystem.exe / SMEditor.exe / ConverterDDSNet.exe / MSRender.exe STOCKSTAY.STOCKTRADER backdoor (various operations) File Name ClientMNGR2.exe / GR3.exe STOCKSTAY.STOCKBROKER tunneler obfuscated with K1MORPHER (May 2025, Poland) File Name ms-lib-math-core.dll Shared STOCKSTAY core module (November 2025 operation) File Name ms-api-win-render.dll Module containing STOCKSTAY backdoor command handlers File Name ms-api-wmcpdt.dll Module containing STOCKSTAY IPC logic File Name weather_data1.db SQLite3 database used by STOCKSTAY server-side controller GitHub Account Roberto1983-ai Suspected threat actor GitHub account hosting STOCKSTAY MSI test files GitHub Account ChikenFresh Suspected threat actor GitHub account hosting STOCKSTAY C2 server code Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Upgrade your proactive defense against attacks. Access 5 proven threat hunting tactics you can deploy in your SOC. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Bluekit Phishing-as-a-Service Bypasses MFA to Steal Microsoft Login Credentials FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability Critical Dell Wyse Vulnerabilities Enable Remote Code Execution Attacks FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials Latest News Cyber Security News Critical Dell Wyse Vulnerabilities Enable Remote Code Execution Attacks Cyber Security News Microsoft 365 Apps RCE Vulnerability Exploited Using a Malicious Excel File Cyber Security News Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code Cyber Security News ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft Attacks Cyber Security News Hackers Could Abuse WM_COPYDATA Callback Path to Execute Code Through Win32k Dispatch