SOC Prime Bias: Critical

29 Jun 2026 06:14 UTC

STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus

Author Photo
SOC Prime Team linkedin icon Follow
STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Google Threat Intelligence Group identified STOCKSTAY, a multi-component .NET backdoor used by the Russia-linked threat actor Turla. The malware is built with a modular design that includes a tunneler, an orchestrator, and a backdoor component, all communicating through secure WebSockets. It is intended to support long-term cyber espionage operations against government and military targets.

Investigation

GTIG performed an in-depth analysis of the STOCKSTAY ecosystem and traced its development back to December 2022. Researchers mapped its modular components, examined its use of environmental keying to decrypt configuration data, and documented its shift from disguising itself as a stock market utility to posing as other benign applications. The investigation also revealed use of K1MORPHER for string obfuscation and links to Turla’s known KAZUAR toolkit.

Mitigation

Organizations should deploy strong monitoring for suspicious .NET application behavior and unusual WebSocket traffic to unfamiliar domains. Defending against initial access through malicious RDP files and strengthening email protections against phishing are also critical. In addition, patching vulnerabilities such as CVE-2025-8088 in WinRAR can help block exploitation-based deployment.

Response

If STOCKSTAY activity is detected, isolate affected hosts immediately to stop further command-and-control communication and lateral movement. Conduct a detailed forensic investigation to determine the full scope of compromise, with particular focus on unauthorized registry changes and newly created scheduled tasks. Network logs should also be reviewed for long-lived WebSocket sessions, and systems should be checked for the presence of STOCKSTAY component files.

"flowchart TD step_initial_access["Initial Access: T1566 – Phishing (Spearphishing attachments like RDP files, MSI, or RAR; Spearphishing links to compromised sites)"] step_execution["Execution: T1204.002 – User Execution: Malicious File (HTA files, RDP configs); T1574.014 – Hijack Execution Flow: AppDomainManager (.NET payloads); T1543 – Create or Modify System Process"] rules_for_execution("<b>Rule Name</b>: Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)<br/><b>Rule ID</b>: feb459cf-289a-41ab-9241-d8edc232c487") step_persistence["Persistence: T1543 – Create or Modify System Process (autorun entries); T1133 – External Remote Services (long-term connectivity)"] step_defense_evasion["Defense Evasion: T1036 – Masquerading (renaming to benign utilities); T1027.015 – Obfuscated Files or Information: Compression; T1497.001/002 – Virtualization/Sandbox Evasion via WMI"] step_discovery["Discovery: T1012 – Query Registry; T1497.001 – Virtualization/Sandbox Evasion (system/hardware info gathering via WMI)"] step_command_and_control["Command and Control: T1102.002/003 – Web Service: Bidirectional/One-Way Communication (WebSocket via Render); T1568 – Dynamic Resolution"] rules_for_c2("<b>Rule Name</b>: Possible Publicnode Ethereum Abuse Attempt As C2 Channel (via dns_query)<br/><b>Rule ID</b>: 280e86bf-fad9-4b9c-8867-e2355e3f50ba") step_collection_exfiltration["Collection and Exfiltration: T1560.002/003 – Archive Collected Data via Library or Custom Method (in-memory ZIP archives)"] step_initial_access –>|leads_to| step_execution step_execution –>|enables| step_persistence step_execution -.->|detected_by| rules_for_execution step_persistence –>|leads_to| step_defense_evasion step_defense_evasion –>|enables| step_discovery step_discovery –>|leads_to| step_command_and_control step_command_and_control –>|enables| step_collection_exfiltration step_command_and_control -.->|detected_by| rules_for_c2 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish persistence using a tool masquerading as a legitimate Microsoft update component. To evade detection, the attacker has renamed their STOCKSTAY backdoor to MicrosoftUpdateOneDrive.exe and placed it in a temporary directory. The goal is to execute this process to initiate a reverse shell or command-and-control (C2) communication, relying on the “legitimate” name to bypass basic process monitoring.

  • Regression Test Script:

    # Simulation Script: STOCKSTAY Masquerade Execution
    $MaliciousName = "MicrosoftUpdateOneDrive.exe"
    $TargetDir = "$env:TEMPStockstaySim"
    
    # 1. Create a simulated "malicious" directory and file
    if (!(Test-Path $TargetDir)) { New-Item -Path $TargetDir -ItemType Directory -Force }
    $FakeBinary = Join-Path $TargetDir $MaliciousName
    
    # 2. Create a dummy executable (using a renamed cmd.exe for simulation purposes)
    Copy-Item "C:WindowsSystem32cmd.exe" -Destination $FakeBinary -Force
    
    Write-Host "[+] Simulation: Created $FakeBinary" -ForegroundColor Cyan
    
    # 3. Execute the "malicious" process
    Write-Host "[+] Simulation: Executing $MaliciousName..." -ForegroundColor Yellow
    Start-Process -FilePath $FakeBinary -ArgumentList "/c echo STOCKSTAY_SIMULATION_ACTIVE" -WindowStyle Hidden
    
    Write-Host "[+] Simulation: Process execution triggered." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup Script
    $TargetDir = "$env:TEMPStockstaySim"
    if (Test-Path $TargetDir) {
        Remove-Item -Path $TargetDir -Recurse -Force
        Write-Host "[+] Cleanup: Removed simulation directory $TargetDir" -ForegroundColor Green
    } else {
        Write-Host "[-] Cleanup: Simulation directory not found." -ForegroundColor Red
    }