Turla STOCKSTAY .NET backdoor deployment
Malware Activity
Summary
Hide ▲
Show ▼
Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to Italian foreign policy. The malware runs as a multi-component Windows Forms backdoor with secure WebSocket C2, letting operators route commands through separate downloader, tunneler, backdoor, and controller modules. Delivery has included phishing emails, malicious RDP files, MSI installers, and RAR archives; a November 2025 wave used CVE-2025-8088 in WinRAR. Suspected development traces back to December 2022, and the implant shares design overlaps with Kazuar.
Related Happenings
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
Campaign
H score37
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
How related:
Attacks distributing STOCKSTAY have consistently leveraged academic- or diplomatic-themed lures to target government and military organizations within Ukraine, with early versions of the backdoor used in attacks aimed at entities in Italy, the Netherlands, Poland, and Germany.
About this happening:
Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
CampaignHow related: Attacks distributing STOCKSTAY have consistently leveraged academic- or diplomatic-themed lures to target government and military organizations within Ukraine, with early versions of the backdoor used in attacks aimed at entities in Italy, the Netherlands, Poland, and Germany.
About this happening: Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
Timeline
-
26.06.2026 10:15 2 articles · 4h ago
Turla STOCKSTAY .NET backdoor deployment
Initial DisclosureThe earliest observed phase centered on a newly attributed **Turla** backdoor, **STOCKSTAY**, with suspected development activity reaching back to **December 2022**. Initial deployments targeted **Ukraine** and other European entities of interest, indicating an espionage-focused rollout.
Show sources
- Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks — thehackernews.com — 26.06.2026 10:15
- Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks — thehackernews.com — 26.06.2026 10:15