The Hacker News ·EN News source Advisory Turla
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
CVE Tools coverage
Google Threat Intelligence has linked the Russian state-sponsored actor Turla to a previously unknown Windows .NET backdoor named STOCKSTAY, used against government and military targets in Ukraine and other organizations with Italian foreign policy interests. The malware is built from multiple cooperating components that communicate via a secure WebSocket channel and inter-process communication, and it has been used both for initial access and post-exploitation during operations where Turla also relies on Kazuar. Some delivery waves used archives exploiting CVE-2025-8088 (a WinRAR flaw), which matters because it can enable fast malware deployment to targeted environments.