Russian hackers test new virus targeting Ukraine and EU authorities
Turla is attacking Ukrainian government institutions with a new backdoor (photo: Unsplash)
STOCKSTAY architecture and evasion mechanisms
According to experts, STOCKSTAY is a multi-component backdoor written on the .NET platform using the Windows Forms framework.
For communication with its command-and-control (C2) server, the program uses a secure WebSocket connection via the open-source websocket-sharp library.
Interaction between modules within the infected system occurs through a special inter-process communication (IPC) channel by sending WM_COPYDATA messages.
The malware infrastructure consists of a loader and three main modules:
STOCKSTAY.MARKETMAKER: a primary loader that deploys and launches the rest of the system.
STOCKSTAY.STOCKBROKER: a network tunneling component that works through proxy servers and establishes a stable, encrypted connection with the attackers’ server.
STOCKSTAY.STOCKTRADER: the main backdoor module responsible for directly collecting sensitive information and executing commands.
STOCKSTAY.STOCKMARKET: a control “orchestrator” that analyzes configuration files, sets activity intervals, and defines “sleep” periods when the malware becomes inactive to avoid detection.
The STOCKTRADER module allows hackers to gain full control over an infected device, including:
- deleting and creating folders
- reading and modifying the Windows registry
- taking screenshots
- downloading external files
- launching new processes in the operating system
Overview of STOCKSTAY malware architecture (diagram: Google)
Read more: Russian apps disappear from App Store as Apple removes VK, Zen, and Odnoklassniki
Infection methods and links to the Kazuar platform
STOCKSTAY distribution campaigns rely on social engineering techniques, using phishing emails with academic or diplomatic themes.
In early 2025, hackers widely distributed malicious RDP configuration files that, when opened, connected the victim’s computer to attacker-controlled infrastructure.
In November 2025, a new phishing wave targeting Ukraine was recorded — the malware was delivered in RAR archives exploiting vulnerability CVE-2025-8088.
The same WinRAR vulnerability was actively used by other Russian state-affiliated groups, including Sandworm, Gamaredon, and RomCom.
In other cases, attackers used MSI installers or compromised WordPress-based websites to host ZIP archives containing malware components.
Google analysts discovered a public GitHub repository named ChikenFresh/google-ai-labs-it, which contained the STOCKSTAY command-and-control server code written in Python.
Important: the server is designed in such a way that security operators cannot decrypt incoming communications or accurately track the location of the hackers’ infrastructure.
Chronology of STOCKSTAY backdoor deployment (diagram: Google)
The similarity in role distribution between STOCKSTAY modules and the structure of Kazuar (which consists of Kernel, Bridge, and Worker components) suggests that both tools were developed by the same team of programmers.
In Ukrainian government networks, the new backdoor was typically deployed at the final stages of an operation, once the infrastructure had already been thoroughly reconnoitered using Kazuar.
Experts believe that testing the new tool in real combat conditions indicates an attempt by hackers to trial new solutions in case their older access points are blocked by Ukrainian cyber specialists.
