STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus
Essential information
- Published
- 26/06/2026 01:28
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- diamondback k1morpher kazuar stockstay turla wildday
- Related entities
- 2 vulnerabilities (cve), 57 indicators, 6 observables, 1 intrusion sets (apt), 19 techniques (mitre), 8 malware
Description
Google Threat Intelligence Group has identified STOCKSTAY, a .NET backdoor continuously developed and deployed by Russia-linked Turla (FSB Center 16) since December 2022. The multi-component malware communicates via secure WebSocket connections and targets government and military organizations in Ukraine, as well as entities interested in Italian foreign policy. STOCKSTAY shares significant code overlaps with KAZUAR, particularly the K1MORPHER obfuscation mechanism. The threat actor employs academic and diplomatic lures, malicious RDP files, and compromised Ukrainian infrastructure for deployment. STOCKSTAY demonstrates environmental keying for configuration protection and operates at multiple operational stages. The malware's modular architecture separates C2 communication, task orchestration, and execution into distinct components, mirroring KAZUAR's design philosophy and indicating shared development resources within Turla's cyber espionage arsenal.