Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
Summary
Google Threat Intelligence has identified a new .NET backdoor named STOCKSTAY, attributed to the Russian state-sponsored threat actor Turla. This backdoor has been deployed against government and military organizations in Ukraine, as well as entities interested in Italian foreign policy. The group is continuously developing this Windows backdoor for espionage attacks.
IFF Assessment
The discovery of a new, actively developed backdoor used by a state-sponsored threat actor for espionage poses a significant threat to defenders.
Defender Context
Defenders, especially those in government, military, or foreign policy sectors related to Ukraine and Italy, need to be vigilant against STOCKSTAY. Organizations should focus on detecting .NET-based backdoors, reviewing network traffic for C2 communication patterns associated with Turla, and implementing robust endpoint detection and response (EDR) solutions. Staying updated on IOCs related to STOCKSTAY is crucial to prevent successful espionage and data exfiltration.