Russian APT Turla Unleashes New 'STOCKSTAY' Backdoor in Ukraine Espionage Attacks

Executive Summary

Google's Threat Analysis Group (GTIG) has identified a new, sophisticated .NET backdoor named STOCKSTAY, attributed to the Russian state-sponsored group Turla (also known as Waterbug or Venomous Bear). This malware is being actively used in cyber espionage campaigns targeting government and military organizations in Ukraine, as well as entities with interests in Italian foreign policy. STOCKSTAY is a multi-component implant that communicates over secure WebSockets and shares substantial code overlap with Kazuar, a long-standing tool in Turla's arsenal. The development and deployment of this new malware indicate a continued evolution of the group's capabilities and a persistent focus on high-value intelligence gathering from strategic targets.

Threat Overview

Threat Actor: Turla (APT), a highly sophisticated Russian state-sponsored group known for its complex malware and stealthy operations targeting governments, militaries, and diplomatic entities worldwide.
Malware: STOCKSTAY, a new backdoor written in .NET using the Windows Forms framework. Its primary function is to establish persistent access, execute commands, and exfiltrate data from compromised Windows systems.
Targeting: The campaign has been observed targeting government and military entities in Ukraine, demonstrating a clear alignment with Russian geopolitical interests. Secondary targeting of organizations related to Italian foreign policy has also been noted.

Turla is leveraging STOCKSTAY as a primary implant for espionage. The malware's design suggests a focus on stealth and resilience, incorporating encrypted communications and a C2 architecture designed to evade detection. The significant code similarity with Kazuar suggests that STOCKSTAY is an evolutionary step, possibly intended to replace or augment the older implant with more modern features and a lower detection rate.

Technical Analysis

STOCKSTAY's operations are characterized by several key technical features:

Implant Architecture: The backdoor is written in .NET and uses Windows Forms. This choice allows for rapid development and potential cross-compatibility, though current observations are limited to Windows systems.
Command and Control (C2): The malware communicates with its C2 servers using a secure WebSocket connection (T1071.001 - Web Protocols). This provides a persistent, full-duplex communication channel that can be difficult to distinguish from legitimate web traffic.
Infrastructure Obfuscation: Turla employs a multi-hop C2 infrastructure to hide the true location of its servers. Researchers discovered a public GitHub repository containing a Python script acting as a victim-side WebSocket server controller. This suggests victims may connect to intermediate nodes (potentially compromised servers or public infrastructure) that then proxy traffic to the final C2, a technique consistent with Turla's established TTPs (T1090.003 - Multi-hop Proxy).
Code Reuse: The significant code overlap between STOCKSTAY and Kazuar points to a shared development team. Both malware families are built on .NET and have been observed using compromised WordPress sites for operational purposes (T1190 - Exploit Public-Facing Application). This reuse allows the threat actor to leverage proven code while introducing new features.

Google's analysis suggests Turla may be co-deploying STOCKSTAY and Kazuar, potentially as a way to A/B test the new implant's effectiveness and evasion capabilities in a live operational environment before fully retiring the older tool.

Impact Assessment

A successful STOCKSTAY infection provides the Turla group with long-term, stealthy access to a target's network. The primary impact is espionage and intelligence gathering. Specific consequences include:

Theft of Sensitive Data: The backdoor can be used to exfiltrate classified government documents, military plans, diplomatic communications, and other sensitive state secrets.
Persistent Foothold: Once established, STOCKSTAY allows the actor to maintain access for extended periods, enabling them to monitor internal communications, pivot to other systems, and deploy additional malicious tools.
Strategic Advantage: The intelligence gathered from these campaigns can provide the Russian government with significant strategic, military, and political advantages.

IOCs — Directly from Articles

No specific file hashes, domains, or IP addresses were provided in the summarized articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify potential STOCKSTAY activity:

Type

network_traffic_pattern

Value

wss://* or ws://*

Description

Outbound WebSocket connections from non-browser processes, especially from servers or user workstations.

Type

process_name

Value

rundll32.exe

Description

Turla has historically used rundll32.exe to launch its .NET payloads. Monitor for rundll32 spawning unusual child processes.

Type

command_line_pattern

Value

powershell -enc

Description

Look for encoded PowerShell commands used for initial execution or lateral movement, a common TTP for APTs.

Type

log_source

Value

Proxy Logs / Firewall Logs

Description

Hunt for connections to known compromised WordPress hosting providers or unusual GitHub URLs.

Type

file_path

Value

C:\Users\<user>\AppData\Local\Temp\*.dll

Description

Payloads are often dropped in temporary or user-profile directories. Monitor for newly created .NET DLLs.

Detection & Response

Detecting Turla's activity requires a defense-in-depth approach.

Network Traffic Analysis: Implement Network Traffic Analysis (D3-NTA) with SSL/TLS inspection to identify anomalous WebSocket connections. Create alerts for non-browser processes initiating wss:// connections to untrusted domains.
Endpoint Detection and Response (EDR): Use an EDR solution to monitor for suspicious process chains, such as powershell.exe or rundll32.exe loading .NET assemblies from disk or memory. EDR is crucial for implementing Process Analysis (D3-PA).
Signature-Based Detection: Deploy antivirus and network intrusion prevention systems with up-to-date signatures for Turla, Kazuar, and emerging threats like STOCKSTAY.
Threat Hunting: Proactively hunt for PowerShell execution (T1059.001) and unusual .NET assembly loads in memory. Check for connections to public code repositories like GitHub from server infrastructure.

Mitigation

Defending against a sophisticated actor like Turla requires a multi-layered security posture.

Application Control: Use application control solutions like AppLocker to restrict the execution of unauthorized software, which aligns with M1038 - Execution Prevention.
Egress Traffic Filtering: Implement strict egress filtering to block outbound connections to unknown or uncategorized domains. Allow WebSocket traffic only to known-good, business-required services. This is a form of M1037 - Filter Network Traffic.
PowerShell Hardening: Constrain PowerShell language mode and enable robust script block and module logging to detect malicious usage, a key aspect of M1028 - Operating System Configuration.
User Training: Train users to recognize and report phishing attempts, which are often used as an initial access vector by APT groups (M1017 - User Training).

A strict egress filtering policy is a highly effective countermeasure against threats like STOCKSTAY. By default, block all outbound traffic from servers and workstations, and only allow connections to known, business-essential destinations on approved ports. Specifically for this threat, create a rule to block all outbound WebSocket traffic (ws:// and wss://) except to whitelisted application servers. Since Turla leverages GitHub for C2 infrastructure, consider blocking or proxying all traffic to github.com from server segments and non-developer workstations, requiring inspection and authentication. This proactive isolation can prevent the malware from establishing its C2 channel even if an initial compromise occurs.

Google Details Turla's New 'STOCKSTAY' .NET Backdoor Used in Espionage Against Ukraine