New Russian STOCKSTAY Spyware Targets Ukrainian Military

Google Threat Intelligence has identified a new spyware named STOCKSTAY, developed by the Russian hacking group Turla, aimed at Ukrainian military and government entities. This Windows backdoor is designed for cyber espionage and has been in development since at least December 2022. STOCKSTAY shares significant code similarities with the Kazuar spyware, which has been active since 2017. The malware operates through a multi-component architecture and uses secure WebSocket connections for communication with its command-and-control server. Attackers have employed social engineering tactics, such as phishing emails related to education and diplomacy, to lure victims. While primarily targeting Ukraine, early versions of STOCKSTAY were also tested on institutions in Italy, the Netherlands, Poland, and Germany. Analysts suggest that the simultaneous use of STOCKSTAY and Kazuar indicates a testing phase for the new malware in real-world conditions.

Key Points: • STOCKSTAY is a new spyware targeting Ukrainian military and government agencies. • Developed by the Turla group, it shares code similarities with the Kazuar spyware. • Attackers use phishing emails to lure victims, with testing also conducted in several European countries.