Another Tool in a Twenty-Year-Old Apparatus
In late June 2026, Google Threat Intelligence Group published a detailed analysis of STOCKSTAY, a previously undocumented .NET backdoor attributed to Turla — the Russia-linked cyber espionage group that the US Department of Justice tied to the FSB's Center 16 during Operation MEDUSA in 2023. STOCKSTAY is not new malware caught mid-deployment. GTIG traces its development back to at least December 2022, meaning it has been built, iterated, and used operationally for over three years before appearing in public threat intelligence. That timeline is the point: nation-state actors build tools faster than defenders catalog them.
Modular, Encrypted, and Hosted on Consumer Platforms
STOCKSTAY is a multi-component .NET implant built on the Windows Forms framework, with three distinct modules: STOCKBROKER handles network tunneling, STOCKMARKET manages orchestration and configuration, and STOCKTRADER executes espionage tasks including file collection, screen capture, registry manipulation, and remote execution. Communication with command-and-control infrastructure runs over WebSocket connections using the open-source websocket-sharp library. On first execution, the implant generates a unique 4096-bit RSA key pair and transmits its public key to upstream infrastructure so that outbound task results can be encrypted server-side. GTIG observed Turla hosting STOCKSTAY controllers on consumer platforms including Render and Glitch — infrastructure that blends into normal web traffic and complicates network-level detection.
Government and Diplomatic Targets Across Five Countries
STOCKSTAY campaigns have consistently used academic- and diplomatic-themed lures to target government and military organizations in Ukraine, with early versions deployed against entities in Italy, the Netherlands, Poland, and Germany. GTIG documented phishing emails sent from compromised university accounts and abuse of a diplomatic education platform to distribute malicious files. The targeting pattern is consistent with Turla's two-decade operational history: government agencies, embassies, military entities, and research institutions. What changes is the tooling. STOCKSTAY shares significant code and functional overlaps with Kazuar, a Turla implant in use since 2017, but represents a distinct development effort — a parallel track in an arsenal that already includes ComRAT, Snake, Carbon, TinyTurla, and more than a dozen other documented malware families.
.NET Infrastructure as Attack Surface
STOCKSTAY's construction as a .NET Windows Forms application is a deliberate choice. It allows the implant to blend into environments where .NET is the default application framework — government IT systems, enterprise intranets, internal web services. Organizations running .NET web applications and backend services face exposure to this class of threat not because of a specific vulnerability in .NET itself, but because the framework is the environment these implants are designed to inhabit. The implant's environmental keying capability — restricting execution to a specific host or domain — means Turla can tailor each deployment to a particular target's infrastructure, reducing the chance of detection by sandboxes or researchers running it outside the intended environment.
The Cataloging Gap
MITRE ATT&CK tracks 174 threat groups as of April 2026. Turla, designated G0010, is among the most extensively documented. Yet STOCKSTAY — an implant in active development for three-plus years — only entered the public record this month. That gap between operational deployment and public documentation is not unique to Turla, but it illustrates the asymmetry that defines nation-state cyber operations. By the time defenders have indicators of compromise for one tool, the next is already deployed. For organizations operating .NET web infrastructure in government, diplomatic, or defense-adjacent sectors, the takeaway is operational: assume the threat landscape includes tools that do not yet have names.


