Turla, one of Russia's most sophisticated state-sponsored hacking groups, has added a new weapon to its arsenal. Researchers have identified a previously unknown backdoor malware called StockStay being deployed against high-value targets in Ukraine, with a focus on government agencies and military organizations.
What Is StockStay?
StockStay is a custom implant designed for long-term persistence and covert data exfiltration. Unlike many commodity malware strains, StockStay bears the hallmarks of a professionally engineered tool — modular architecture, encrypted command-and-control communications, and anti-forensic capabilities designed to hinder analysis.
Security researchers attribute the malware to Turla (also tracked as Snake, Venomous Bear, and Waterbug) based on:
- Code overlaps with previously documented Turla tooling, including the Carbon and Kazuar backdoors
- Infrastructure reuse — C2 servers linked to prior Turla campaigns
- Targeting patterns consistent with Russian intelligence collection priorities
Attack Chain and Capabilities
The initial infection vector appears to involve spear-phishing emails crafted to appear as official Ukrainian government communications. Once deployed, StockStay provides operators with:
- Remote command execution — full shell access to compromised hosts
- Credential harvesting — extracts saved passwords from browsers and Windows credential stores
- File exfiltration — searches for documents matching specific keyword lists related to military operations, logistics, and government planning
- Lateral movement — uses stolen credentials to propagate across internal networks
- Persistence — installs itself as a Windows service and registers scheduled tasks for redundant persistence
Turla's Ongoing Campaign Against Ukraine
This is not an isolated incident. Turla has maintained a sustained offensive posture against Ukraine for over a decade, accelerating operations following the 2022 invasion. StockStay represents a continued investment in bespoke tooling to evade detection by Ukrainian and Western security teams who have grown familiar with Turla's older malware families.
The group is believed to operate under the direction of Russia's Federal Security Service (FSB), with a mandate focused on intelligence collection rather than destructive attacks — though attribution remains difficult to verify with certainty.
Defensive Recommendations
Organizations in Ukraine and allied nations should treat this as an active threat. Key defensive actions include:
- Audit Windows services and scheduled tasks for unexpected or recently added entries
- Monitor outbound encrypted traffic to unusual or low-reputation destinations
- Enforce phishing-resistant MFA across government and military accounts
- Hunt for lateral movement indicators using stolen credentials, particularly NTLM relay attacks
- Apply threat intelligence feeds incorporating Turla infrastructure indicators
CISA and partner agencies have previously published detailed Turla threat advisories; defenders should ensure their detection rules incorporate the latest published indicators of compromise.
The Bigger Picture
StockStay's discovery underscores the ongoing intensity of cyber operations in the Russia-Ukraine conflict. While kinetic warfare dominates headlines, the digital front remains active with intelligence-gathering campaigns that inform real-world military decision-making.
Turla's continued development of new tooling — even as older implants remain partially effective — reflects the group's substantial resourcing and a deliberate strategy of maintaining a diverse malware portfolio to complicate detection and attribution.
Security teams tracking this threat should monitor for updates from vendors and government CERTs as analysis of StockStay samples continues.