Russian Turla state-backed hacking group has spent years developing and deploying a previously undocumented malware strain called 'StockStay' to conduct cyber espionage against Ukrainian government and military organizations, according to new research from Google.
Researchers found that StockStay has been under active development since at least December 2022. While its primary targets were Ukrainian government and defense entities, malware samples were also identified in Italy, the Netherlands, Poland, and Germany.
Turla, also known as Secret Blizzard and Venomous Bear, is one of Russia's longest-running cyber espionage groups believed to be linked to Center 16 of Russia's Federal Security Service (FSB). The threat actor has been active since at least 2004 and continues to evolve its tactics, with secure messaging platforms and military organizations among the targets.
Google researchers said StockStay shares code and functionality with Kazuar, a sophisticated Turla malware framework previously used in espionage campaigns against military and defense targets.
StockStay is a multi-component backdoor written in .NET using the Windows Forms framework. It communicates with its command-and-control (C&C) servers through encrypted WebSocket connections using the open-source websocket-sharp library. Its components exchange data through WM_COPYDATA messages, a Windows inter-process communication (IPC) mechanism.
Initially, the malware was masqueraded as a stock market application, storing its configuration and communications to match the fake theme. In 2025, researchers observed newer variants posing as legitimate PDF viewers and calculator apps.
Victims were typically infected through phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files. When opened, the files connected victims' systems to attacker-controlled infrastructure, allowing Turla to deploy additional malware. The group used academic and diplomatic themes in phishing campaigns, including emails sent from a compromised Ukrainian university account and a diplomatic education platform.
Although most confirmed operations targeted Ukraine, researchers also identified phishing activity and suspected StockStay deployments against organizations linked to European foreign affairs ministries.
“A smaller number of STOCKSTAY operations observed by GTIG appear to have been targeted at European entities,” the researchers noted in the report. “Early development samples of STOCKSTAY were identified in various European nations, including Italy, the Netherlands, Poland, and Germany; however, we have been largely unable to confirm the intended victims for the majority of these early infections, nor whether these samples were identified as a result of the threat actor testing their capabilities against publicly available virus scanning services such as VirusTotal.”
The FBI and CISA warned last week that Russian intelligence-linked hackers have upgraded a phishing campaign targeting Signal users. The attackers now steal Signal Backup Recovery Keys, allowing them to access past messages. The campaign mainly targets high-profile people, including government officials, military personnel, journalists, political figures, and officials in Ukraine. The activity is linked to Russian intelligence groups tracked as UNC5792 and UNC4221.
Meanwhile, Ukraine's Security Service (SBU) said it uncovered a long-running Russian campaign targeting the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the United States. The attackers used fake support messages to trick people into revealing their account login details and steal sensitive information.