As recently as November 2025, an email phishing wave targeting Ukraine delivered an implant via RAR archives that exploited CVE-2025-8088, a WinRAR flaw that several Russian hacking groups have used, Google’s Threat Intelligence Group (GTIG) reported.
How STOCKSTAY is structured and how it communicates
GTIG attributes a previously undocumented .NET backdoor called STOCKSTAY to the Russian state‑sponsored actor known as Turla. According to Google, STOCKSTAY is "a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library."
The implant is modular. The entrypoint is a downloader GTIG calls STOCKSTAY.MARKETMAKER, which installs and runs three cooperating modules:
- STOCKSTAY.STOCKBROKER — a proxy-aware tunneler that establishes the secure WebSocket connection to a remote server and facilitates network communications for the suite.
- STOCKSTAY.STOCKTRADER — the principal backdoor responsible for information gathering and remote actions on the compromised host.
- STOCKSTAY.STOCKMARKET — an orchestrator that parses configuration options (for example the WebSocket server, timing intervals, and days the implant should not run) and relays server details to STOCKBROKER and commands to STOCKTRADER.
The components communicate locally via an inter-process communication channel based on WM_COPYDATA messages. GTIG noted that the server side for the WebSocket controller has a publicly accessible GitHub repository ("ChikenFresh/google-ai-labs-it") containing a Python implementation that logs connecting client IPs.
What STOCKSTAY can do
GTIG’s writeup lists a broad set of support commands built into STOCKSTAY.STOCKTRADER. The implant can manipulate files and directories (Get, Put, Del, MkDir, RmDir, UnpackArchive), enumerate and modify the Windows Registry (RegRead, RegWrite, RegDelete), execute processes (Run, MultyTask), and collect system and visual intelligence (Sysinfo, Image).
- File operations: fetch files by extension, upload files to the device, and extract ZIP archives.
- System and persistence techniques: read and write registry values and run arbitrary processes.
- Reconnaissance and exfiltration support: screen capture and directory enumeration to gather intelligence.
Delivery techniques observed in campaigns
GTIG documents multiple distribution methods for STOCKSTAY. In at least one incident in early 2025, Turla used a phishing email with a malicious RDP file attachment that established a connection to actor-controlled infrastructure, allowing follow-on payloads like STOCKSTAY to be deployed. As noted above, a November 2025 phishing wave used RAR archives exploiting CVE-2025-8088.
Other observed vectors include MSI installers — in one case hosted on GitHub — and RAR files that contained an HTML Application (HTA) designed to execute a variant of STOCKSTAY.MARKETMAKER. The downloader has been seen fetching a ZIP archive with the core STOCKSTAY modules from a compromised WordPress instance.
Overlap with KAZUAR and the development timeline
GTIG highlighted "significant code and functional overlaps" between STOCKSTAY and Kazuar, a toolkit Turla has used since 2017. The common design pattern is role separation across modules: STOCKSTAY’s broker, trader, and market components mirror Kazuar’s Kernel, Bridge, and Worker division described last month by the Microsoft Threat Intelligence team.
Evidence points to development activity going back to December 2022, and the earliest detected STOCKSTAY sample with separated role-based components appeared in VirusTotal in December 2023 from the Netherlands. Google assesses that "STOCKSTAY is being developed in KAZUAR’s image," and that the two ecosystems both rely heavily on .NET and have used compromised WordPress sites during operations.
GTIG added with low confidence that concurrent deployment of STOCKSTAY alongside KAZUAR in active operations "may be a result of the threat actor seeking to test new capabilities in active operations, particularly where they may be expecting their existing access to be remediated in the near future."
What this means for technologists, policymakers, and affected organizations
- Technologists and security teams: watch for WebSocket-based C2 using the websocket-sharp library, inter-process signaling via WM_COPYDATA, and multi-component .NET implants that may arrive via RDP files, MSI installers, HTA scripts, or RAR archives exploiting CVE-2025-8088. Monitor GitHub-hosted installers and compromised WordPress instances used to host payload ZIPs.
- Policymakers and regulators: note GTIG’s attribution to Turla and the targeting pattern — government and military organizations in Ukraine and entities with an interest in Italian foreign policy — when assessing cross-border espionage risk and disclosure or mitigation policies.
- Affected enterprises and procurement leaders: expect modular backdoors that can be used both for initial access and in late-stage post-exploitation; inventory exposure to the delivery vectors GTIG describes and validate detection coverage for screen-capture and registry modification behaviors cited in the campaign analysis.
GTIG’s findings frame STOCKSTAY as a deliberately modular espionage tool that reuses proven architectural ideas from Kazuar while adopting modern delivery tactics — including the exploitation of CVE-2025-8088 — across multiple European-targeted campaigns. The exact list of affected European entities remains unknown, but the timeline and technical fingerprints GTIG documents give network defenders specific vectors to prioritize and investigators concrete code similarities to correlate as the campaign evolves.
