Skip to content
Security & Trust

STOCKSTAY: Turla's .NET Backdoor and the Expanding Nation-State Arsenal

Google Threat Intelligence Group documents a modular .NET implant that Turla has been developing since 2022 — one more tool in an apparatus that has compromised victims across 50+ countries.

· 5 min read
Share on X LinkedIn
STOCKSTAY: Turla's .NET Backdoor and the Expanding Nation-State Arsenal

Another Tool in a Twenty-Year-Old Apparatus

In late June 2026, Google Threat Intelligence Group published a detailed analysis of STOCKSTAY, a previously undocumented .NET backdoor attributed to Turla — the Russia-linked cyber espionage group that the US Department of Justice tied to the FSB's Center 16 during Operation MEDUSA in 2023. STOCKSTAY is not new malware caught mid-deployment. GTIG traces its development back to at least December 2022, meaning it has been built, iterated, and used operationally for over three years before appearing in public threat intelligence. That timeline is the point: nation-state actors build tools faster than defenders catalog them.

50+
Countries with confirmed Turla victims
Source: MITRE ATT&CK Group G0010

Modular, Encrypted, and Hosted on Consumer Platforms

STOCKSTAY is a multi-component .NET implant built on the Windows Forms framework, with three distinct modules: STOCKBROKER handles network tunneling, STOCKMARKET manages orchestration and configuration, and STOCKTRADER executes espionage tasks including file collection, screen capture, registry manipulation, and remote execution. Communication with command-and-control infrastructure runs over WebSocket connections using the open-source websocket-sharp library. On first execution, the implant generates a unique 4096-bit RSA key pair and transmits its public key to upstream infrastructure so that outbound task results can be encrypted server-side. GTIG observed Turla hosting STOCKSTAY controllers on consumer platforms including Render and Glitch — infrastructure that blends into normal web traffic and complicates network-level detection.

4,096-bit
RSA key size generated per STOCKSTAY implant
Source: GTIG, 'STOCKSTAY Another Day,' June 2026

Government and Diplomatic Targets Across Five Countries

STOCKSTAY campaigns have consistently used academic- and diplomatic-themed lures to target government and military organizations in Ukraine, with early versions deployed against entities in Italy, the Netherlands, Poland, and Germany. GTIG documented phishing emails sent from compromised university accounts and abuse of a diplomatic education platform to distribute malicious files. The targeting pattern is consistent with Turla's two-decade operational history: government agencies, embassies, military entities, and research institutions. What changes is the tooling. STOCKSTAY shares significant code and functional overlaps with Kazuar, a Turla implant in use since 2017, but represents a distinct development effort — a parallel track in an arsenal that already includes ComRAT, Snake, Carbon, TinyTurla, and more than a dozen other documented malware families.

Active since at least 2004
Turla operational history
Source: MITRE ATT&CK Group G0010; US DOJ Operation MEDUSA (2023)

.NET Infrastructure as Attack Surface

STOCKSTAY's construction as a .NET Windows Forms application is a deliberate choice. It allows the implant to blend into environments where .NET is the default application framework — government IT systems, enterprise intranets, internal web services. Organizations running .NET web applications and backend services face exposure to this class of threat not because of a specific vulnerability in .NET itself, but because the framework is the environment these implants are designed to inhabit. The implant's environmental keying capability — restricting execution to a specific host or domain — means Turla can tailor each deployment to a particular target's infrastructure, reducing the chance of detection by sandboxes or researchers running it outside the intended environment.

5 (Ukraine, Italy, Netherlands, Poland, Germany)
Targeted countries confirmed in STOCKSTAY campaigns
Source: GTIG, 'STOCKSTAY Another Day,' June 2026

The Cataloging Gap

MITRE ATT&CK tracks 174 threat groups as of April 2026. Turla, designated G0010, is among the most extensively documented. Yet STOCKSTAY — an implant in active development for three-plus years — only entered the public record this month. That gap between operational deployment and public documentation is not unique to Turla, but it illustrates the asymmetry that defines nation-state cyber operations. By the time defenders have indicators of compromise for one tool, the next is already deployed. For organizations operating .NET web infrastructure in government, diplomatic, or defense-adjacent sectors, the takeaway is operational: assume the threat landscape includes tools that do not yet have names.

174
Threat groups tracked in MITRE ATT&CK (April 2026)
Source: MITRE ATT&CK v17 updates, April 2026
Share this insight