Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

Google Threat Intelligence detailed a new .NET backdoor, named STOCKSTAY, on May 15, 2024, which is attributed to the Russian state-sponsored threat actor Turla. This backdoor has been observed targeting government and military organizations within Ukraine, as well as entities with interests in Italian foreign policy. Google's analysis indicates that STOCKSTAY is under continuous development by the Turla hacking group, suggesting an ongoing and evolving campaign. The backdoor's capabilities allow for remote access and control, enabling sophisticated espionage operations. The discovery highlights the persistent threat posed by advanced persistent threats (APTs) to national security and foreign policy interests. STOCKSTAY's use of the .NET framework suggests a modern approach to malware development, potentially allowing for cross-platform compatibility or easier integration into Windows environments. The specific targeting of entities related to Italian foreign policy indicates a strategic focus by Turla, possibly aimed at gathering intelligence on diplomatic relations or sensitive political matters. Google Threat Intelligence's reporting provides crucial insights for cybersecurity professionals and government agencies to enhance their defensive measures against such sophisticated attacks.