Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 28, 2026 · 6 min read

Turla's STOCKSTAY Backdoor: How Russia's Top Hackers Hide in Plain Sight

Google Cloud Threat Intelligence published its analysis of STOCKSTAY on June 26, 2026, and the most important detail is not what the backdoor does — it is where it hides. STOCKSTAY routes command-and-control traffic through GitHub and cloud storage services that every enterprise network already permits.

Google Cloud Threat Intelligence published its analysis of STOCKSTAY on June 26, 2026, and the most important detail is not what the backdoor does — it is where it hides while doing it. STOCKSTAY routes its command-and-control traffic through GitHub repositories and cloud storage services that every enterprise network already permits. No exotic domains, no suspicious IP ranges, no unusual ports. From the network perimeter's perspective, an infected host polling STOCKSTAY's C2 looks identical to a developer pushing code or a finance team syncing files to the cloud. That is the point.

Key Takeaways

  • STOCKSTAY is a .NET backdoor developed by Turla, an FSB-linked APT group, first confirmed active in December 2022 with ongoing Ukraine-focused campaigns documented through June 2026.
  • Google Cloud Threat Intelligence identified STOCKSTAY on networks across Ukraine, Italy, the Netherlands, Poland, and Germany, with Ukrainian government and military organizations as primary targets.
  • STOCKSTAY shares significant code overlap with Turla's Kazuar implant, suggesting the same development team is behind both tools.
  • The backdoor communicates via encrypted WebSocket connections tunneled through publicly accessible GitHub repositories and cloud storage, making C2 traffic blend with normal enterprise SaaS activity.
  • Initial access relies on spear-phishing emails carrying malicious RDP files or RAR archives — the email vector is step one in every observed intrusion chain.

Who Is Turla?

Turla has been tracked under more names than almost any other threat actor: Snake, Venomous Bear, Waterbug, Uroboros. The operational history stretches back to at least 1996, making it one of the longest-running state-sponsored cyber espionage programs on record. The group's FSB attribution is among the most confidently assessed in the threat intelligence community, with Western governments and multiple vendors independently reaching the same conclusion over two decades of analysis.

The tooling catalog is a testament to sustained investment. Carbon, Kazuar, ComRAT, TinyTurla-NG, CamelScraper — each implant reflects years of iterative development and operational security refinement. Turla does not rush. It deploys tools selectively, maintains persistence for months before exfiltrating, and has demonstrated the ability to pivot across air-gapped networks by compromising satellite internet links. STOCKSTAY is the latest addition to this catalog, and it carries the group's signature quality: patient, technically careful, and designed to avoid the defensive controls that most organizations actually have in place.

Digital illustration of a coiled snake made of circuit traces and network connections wrapped around server infrastructure, representing the Turla APT group's STOCKSTAY backdoor hiding inside legitimate cloud services

What STOCKSTAY Does

STOCKSTAY is a multi-component .NET implant built on the Windows Forms framework. GCTI's analysis identifies three distinct modules: STOCKSTAY.STOCKMARKET (the orchestrator), STOCKSTAY.STOCKBROKER (tunneling), and STOCKSTAY.STOCKTRADER (information gathering). Each module handles a discrete phase of the operation, which limits exposure if any single component is detected.

Initial access in observed campaigns arrived via two vectors: phishing emails containing malicious RDP files that established reverse connections into victim environments, and RAR archives exploiting CVE-2025-8088 in WinRAR, delivered through phishing waves as recently as November 2025. Once a foothold is established, STOCKSTAY achieves persistence through scheduled tasks with base64-encoded arguments and WMI event subscriptions — two techniques that are standard Windows enterprise features and survive reboots without generating the registry writes that many endpoint detection tools watch for.

C2 communication runs over an encrypted WebSocket connection using the open-source websocket-sharp library. The client polls a publicly accessible GitHub repository where the operator posts tasking as encrypted blobs. Because the server-side component cannot decrypt inbound messages, even if a researcher or platform operator inspects the repository, the contents appear opaque. GCTI noted this architecture deliberately resembles Kazuar's multi-hop C2 design — the same engineering philosophy applied to a different protocol stack.

Why Cloud-Hosted C2 Is Hard to Block

The defender's dilemma with STOCKSTAY is structural. Blocking GitHub, OneDrive, or Dropbox at the perimeter is not a realistic option for any organization that uses Microsoft 365, runs CI/CD pipelines, or allows developers to access repositories. Turla is exploiting the fact that these services have become load-bearing infrastructure for enterprise operations.

Traditional network detection relies on identifying anomalous destinations, unusual certificate chains, or known-bad IP ranges. STOCKSTAY uses none of those. Traffic to api.github.com over port 443 with a valid TLS certificate is functionally indistinguishable from a legitimate GitHub API call. The only way to catch it is behavioral analysis: looking for system processes (SYSTEM or LOCAL SERVICE accounts) making cloud storage API calls, correlating scheduled task creation with subsequent outbound WebSocket traffic, and monitoring for WMI subscription events that do not correspond to known administrative tooling.

The Email Entry Point

Every observed STOCKSTAY intrusion begins with an email. Academic or diplomatic lures are the consistent theme — messages crafted to be plausible for the government and military recipients Turla targets in Ukraine. The attachment is either a malicious RDP file or a WinRAR archive, but the email itself is the delivery mechanism that makes the entire chain possible.

What security teams sometimes overlook is the reconnaissance function of that initial email. Spear-phishing messages sent by sophisticated actors frequently include tracking pixels — small image requests embedded in the HTML body of the message. When the target opens the email, the pixel loads, and the sender receives confirmation that the message was opened, along with the recipient's IP address, approximate location, email client, and timestamp. Attackers know the implant is sitting in a read inbox before the target ever clicks the attachment. For high-value targets, this open-confirmation step can inform the decision to proceed with a full intrusion or abort to avoid detection. How to detect and block these tracking pixels in Gmail covers the mechanics in detail and the controls available to Gmail users.

Detection Checklist

  • Scheduled task anomalies: Flag any scheduled task created with base64-encoded arguments in the command field, particularly tasks running under SYSTEM that reference .NET assemblies or execute from non-standard paths such as %APPDATA% or %TEMP%.
  • WMI event subscription creation: Monitor for WMI filter and consumer subscription creation events (Event IDs 5858, 5859, 5860 in the Microsoft-Windows-WMI-Activity/Operational log). Turla persistence commonly chains a WMI event filter to a command-line consumer executing encoded PowerShell or .NET payloads.
  • Cloud API calls from unexpected processes: Alert on outbound HTTPS connections to api.github.com, content.dropboxapi.com, or graph.microsoft.com originating from SYSTEM, LOCAL SERVICE, or svchost processes that do not match your known cloud sync agents. Legitimate cloud sync clients run under user accounts with consistent parent process trees.
  • Encrypted polling patterns: Look for recurring outbound connections to GitHub repository endpoints on a regular interval — every 60 to 300 seconds is typical for implants using a polling loop. The request cadence will be more consistent than human-driven GitHub activity.
  • RAR archive delivery via email: STOCKSTAY campaigns exploited CVE-2025-8088 in WinRAR. Ensure WinRAR is patched to 7.11 or later on all endpoints, and flag email-delivered RAR attachments for sandbox detonation before delivery to end users.
  • RDP file attachments: Block or quarantine .rdp file attachments at the email gateway. Legitimate RDP files are rarely distributed via email in most enterprise environments; this is an unusual vector that warrants automatic hold for analyst review.

STOCKSTAY represents exactly the kind of threat that conventional perimeter defenses are not built to catch. Turla spent more than two decades refining this approach because it works: use the infrastructure defenders trust, move slowly, and keep the implant quiet. Detection requires EDR telemetry covering WMI channels and scheduled task arguments, behavioral analytics on cloud API traffic by process context, and a recognition that the email carrying the initial lure is itself an intelligence-gathering instrument before the target clicks anything. Organizations supporting Ukrainian or Eastern European NATO partners should treat this campaign as active and prioritize hunting on those specific behavioral indicators now.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.