Russia's Turla built a new backdoor for one reason: deleting one tool will not evict them

Pulling a Russian state backdoor off one server feels like a win. It is rarely the end of the intrusion. Google's threat intelligence team has tied the long-running Russian group Turla to a previously undocumented backdoor it calls STOCKSTAY, used against Ukrainian government and military networks. The malware matters less for what it does than for how it is built. STOCKSTAY is four interchangeable parts whose code overlaps with Turla's older Kazuar family, which means deleting the piece your tools caught can leave the rest of the intrusion untouched. Eviction here is an operation, not a delete key.

What Google actually found

Turla is a Russian state group that researchers connect to the FSB intelligence service, and other vendors file the same actor under the names Secret Blizzard and Venomous Bear. The Record reports that Google dates the project to around December 2022, with the first public sample surfacing roughly a year later. Targeting concentrates on Ukrainian government and defense, with related samples seen in Italy, the Netherlands, Poland, and Germany.

STOCKSTAY is written in .NET on the Windows Forms framework and split into four named components: a downloader, a tunneler that opens an encrypted WebSocket channel using the open-source websocket-sharp library, the main information-gathering backdoor, and an orchestrator that coordinates the other three. Between them they enumerate and delete files, capture screenshots, read and write the registry, run processes, profile the host, and unpack archives. None of that is exotic. The design is the point: the group can lose a component and keep working through the ones that remain.

The new part is the implant, not the way in

Read the delivery chain and a pattern jumps out. Every step rides an ordinary, patchable weakness. SecurityWeek and Google describe a delivery mix that includes phishing with rigged remote-desktop config files, booby-trapped RAR archives that abuse the WinRAR flaw CVE-2025-8088, installer packages staged on GitHub, and scripts that pull payloads from hacked WordPress sites. The lures lean on academic and diplomatic themes, sometimes sent from compromised university accounts.

Here is the claim worth sitting with. The only genuinely new thing in this campaign is the implant. The access methods are commodity. A malicious .rdp attachment, much like a fake invoice that quietly installs real IT software, works because the file looks legitimate, and Russian operators have used that exact trick before. The WinRAR bug was patched in 2025. If your phishing controls, WinRAR patch state, and outbound remote-desktop rules are already tight, you closed the front door before STOCKSTAY ever loaded. Nation-state delivery often runs on the same weaknesses you already track for commodity crews.

How do you spot a backdoor that hides in normal web traffic?

STOCKSTAY's tunneler speaks over an encrypted WebSocket, which blends into the ordinary outbound web traffic every host generates. Inspecting packet contents will not save you. The useful pivot is process lineage. A .NET Windows Forms binary that opens a long-lived outbound WebSocket connection is unusual on a server, and that behavior is far rarer than the traffic it produces.

Two more hunts pay off. Remote-desktop sessions that start from a process spawned by an email client or an archive tool, rather than from a user opening the remote-desktop app, are a strong signal of a malicious .rdp attachment doing its job. And check WinRAR versions across the fleet; an unpatched copy is the plant point for the archive stage. These are low-noise queries, which is what you want against an actor that is patient and quiet. The same instinct applies whether the channel is a WebSocket here or, in other recent cases, a command channel tucked inside trusted infrastructure.

What to do this week

• Patch WinRAR everywhere it is installed and confirm the update reached endpoints, not just the golden image. CVE-2025-8088 is the archive-stage foothold.

• Alert on remote-desktop sessions started by mail or archive processes, and consider blocking .rdp files at the mail gateway. There is rarely a business reason to receive one by email.

• Hunt for .NET processes holding persistent outbound WebSocket connections, and review egress from servers that should not be talking to the open internet at all.

• Treat any confirmed Turla component as evidence of a broader presence. Because STOCKSTAY shares code with Kazuar and runs as redundant parts, scope the whole environment before you call it clean.

That last point is the durable lesson. Google's read is that Turla is deliberately running parallel, redundant toolsets so losing one tool does not cost it access. We have watched the same pattern in a decade-long authentication-stack persistence by another state actor: the eviction that counts is the one that assumes the first thing you found is not the only thing there. If you have tracked how a modern backdoor is tuned to survive the detection window, STOCKSTAY fits the same direction of travel. The novelty budget goes into staying resident, not into breaking down the door. Defenders who plan for that recover faster than defenders who delete one file and exhale.