Analysis of a .NET backdoor tracked as STOCKSTAY exposes a mature, modular espionage implant actively developed and deployed by the Russia-linked Turla cluster since at least December 2022.
STOCKSTAY demonstrates several operational techniques designed to maximize stealth and survivability: secure WebSocket-based C2, asymmetric encryption using a 4096-bit RSA keypair, inter-component IPC, and environment-based keying of configuration material.
These design choices, along with code and architectural overlaps with Turla’s KAZUAR toolkit, indicate STOCKSTAY is a deliberate addition to a long-standing nation-state toolkit optimized for targeted reconnaissance and data exfiltration.
At runtime STOCKSTAY separates functionality across distinct .NET components: STOCKBROKER (network tunneler), STOCKMARKET (orchestrator/config manager), and STOCKTRADER (backdoor/task executor).
STOCKBROKER establishes proxied wss:// WebSocket sessions using a bespoke build of the open-source websocket-sharp library, isolating network traffic from host activity and enabling operators to blend payload messaging into otherwise legitimate WebSocket flows.
STOCKMARKET loads an encrypted on-disk configuration that is frequently disguised as stock market or crypto-service metadata; that configuration contains C2 endpoints, an internal server identifier, and flags controlling operational windows and environmental keying.
Google Cloud said in a report shared with GBhackers, STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command and control (C2) via a secure WebSocket connection.
On first execution the implant generates a unique 4096-bit RSA keypair and transmits its public key to upstream infrastructure so that outbound task results can be encrypted server-side, ensuring confidentiality even when traffic traverses third-party hosting platforms.
STOCKSTAY Malware Uses WebSocket C2
The C2 server implemented by the actors is lightweight and WebSocket-first. GTIG located a Python Tornado-based controller in a public GitHub repository and observed the threat actor hosting these controllers on third-party platforms such as Render and glitch.me, complicating takedown and attribution.
The server acts as a message store, decoupling operator controllers from edge-facing WebSocket relays by inserting encrypted messages into a local SQLite database.
This multi-hop design mirrors KAZUAR’s infrastructure model and adds operational flexibility: operators can push encrypted tasking to intermediate infrastructure without exposing the origin or decryptable payloads to platform providers.
STOCKSTAY’s use of environmental keying is notable. Configuration decryption can require a hash derived from host attributes (hostname, domain, and in some cases username), preventing the payload from revealing C2 locations or operational details outside the intended environment.
GTIG observed two operational patterns: initial deployments using extractable default passwords to gain footholds where the actor lacks deep knowledge of the target, and stage-later deployments where recon allowed precise environmental keying that restricts execution to a specific host or domain.
Functionally STOCKTRADER supports a full set of espionage primitives: file collection (selective Get and in-memory zipping), remote execution, registry manipulation, screen capture, directory enumeration, and multi-task orchestration.
The implant encrypts outbound payloads using its RSA key and encodes messages in base64 before transmission, minimizing plaintext artifacts.
The actor also leverages decoy lures academic and diplomatic themes, malicious RDP files, and MSI with plausible product names to steer phishing and initial access campaigns, with a heavy operational focus on Ukrainian government and military targets and select European foreign-policy interests.
Code-level ties to KAZUAR are evident: identical multi-component separation of duties, shared string-obfuscation techniques (including the Squirrel3-based K1MORPHER routines), and reuse of .NET development patterns.
GTIG assesses with moderate confidence that common developers or teams are iterating across both projects.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
