CVE Tools
Back to feed
The Hacker News ·EN News source Advisory Turla

Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

By The Hacker News··5 min read
CVE Tools coverage

Google Threat Intelligence has linked the Russian state-sponsored actor Turla to a previously unknown Windows .NET backdoor named STOCKSTAY, used against government and military targets in Ukraine and other organizations with Italian foreign policy interests. The malware is built from multiple cooperating components that communicate via a secure WebSocket channel and inter-process communication, and it has been used both for initial access and post-exploitation during operations where Turla also relies on Kazuar. Some delivery waves used archives exploiting CVE-2025-8088 (a WinRAR flaw), which matters because it can enable fast malware deployment to targeted environments.