Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Turla STOCKSTAY phishing campaign targeting Ukraine and Europe

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Turla's STOCKSTAY phishing campaign is targeting government and military organizations in Ukraine and selected European entities, extending a recurring espionage operation. The operation uses academic- or diplomatic-themed lures to deliver the malware and has been observed across early 2025 and November 2025. Later waves used RAR archives that exploited CVE-2025-8088 in WinRAR, showing the campaign's delivery methods evolved over time.

Related Happenings

Turla STOCKSTAY .NET backdoor deployment

Malware Activity
H score27 First: 26.06.2026 10:15 Last: 26.06.2026 10:15 Sources 1

How related: The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.

About this happening: Turla's **STOCKSTAY** backdoor has been newly detailed as a **.NET espionage implant** used against **government and military organizations in Ukraine** and entities linked to **I...

Open Happening

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
H score28 First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Open Happening

CANFAIL phishing campaign impersonating Ukrainian energy organizations

Campaign
H score32 First: 13.02.2026 19:27 Last: 13.02.2026 19:27 Sources 1

About this happening: A **previously undocumented threat actor** is running a **CANFAIL phishing campaign** that impersonates **Ukrainian energy organizations** to gain unauthorized access to email acc...

Open Happening

Tomiris 2025 government-targeting campaign

Campaign
H score32 First: 01.12.2025 07:07 Last: 01.12.2025 07:07 Sources 1

About this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...

Open Happening

Timeline

  1. 26.06.2026 10:15 2 articles · 4h ago

    Turla STOCKSTAY phishing campaign targeting Ukraine and Europe

    Initial Disclosure

    In **early 2025**, Turla used a **phishing email** with a **malicious RDP file attachment** to establish contact with actor-controlled infrastructure before deploying additional payloads. The operation later broadened into a **November 2025** wave using **RAR archives** that exploited **CVE-2025-8088** in **WinRAR**.

    Show sources
    Open in new tab