Наталя Хандусенко Hot News 26 June 2026, 12:00

Google discovers new Russian virus attacking Ukrainian military

Google Threat Intelligence has discovered a new spyware program called STOCKSTAY, created by the notorious Russian hacking group Turla, which is linked to Russian intelligence services.

Leave a comment

Google discovers new Russian virus attacking Ukrainian military

Google Threat Intelligence has discovered a new spyware program called STOCKSTAY, created by the notorious Russian hacking group Turla, which is linked to Russian intelligence services.

The main goal of this virus is cyber espionage against Ukrainian military and government agencies, The Hacker News reports .

Describing this Windows backdoor as one that is constantly being improved by the hacking group, the Google Threat Intelligence Group (GTIG) team noted that this cyberespionage tool has significant similarities in code and functionality to Kazuar , a major spyware that attackers have been using since 2017. The malware’s development activity is likely to have been ongoing since at least December 2022.

“STOCKSTAY is a multi-component backdoor written in .NET using the Windows Forms framework. It communicates with its command-and-control (C2) server over a secure WebSocket connection using the open-source websocket-sharp library,” GTIG reported. “STOCKSTAY consists of several separate components that communicate with each other over an inter-process communication (IPC) channel based on WM_COPYDATA messaging.”

The virus consists of several parts that disguise themselves and divide the work among themselves:

Initially, the virus disguised itself as a stock market analysis program, which is why it was named STOCKSTAY, which is related to stock exchanges. Later, hackers began disguising it as ordinary calculators or PDF viewing programs;
inside the program there is a module that is responsible for a secure and encrypted connection to the hacker's server. Thanks to encryption, ordinary antiviruses do not immediately notice that the computer is transmitting confidential data to someone;
The main spy module is able to carry out the attackers' orders. It can delete files, view folders, copy documents, and read information from the system.

To lure victims, hackers sent emails about education or diplomacy. The main targets were the Ukrainian military and government agencies, although early versions of the virus were also tested at institutions in Italy, the Netherlands, Poland, and Germany (the specific European organizations have not yet been named).

One notable feature of this malware is that the Turla group used it at several different stages of its operations: first, as a way to gain initial access to previously unexplored environments, and second, in a post-exploitation phase after conducting reconnaissance to launch on a specific host.

“This configuration means that at this stage the attacker knows exactly which machine they are targeting, likely due to their existing access to the target environment,” GTIG explained. This was observed in Ukrainian networks, where STOCKSTAY was deployed at the end of an operation that had previously relied primarily on other tools from the group, such as Kazuar.

Analysts suggest that hackers are launching STOCKSTAY in parallel with KAZUAR simply to test their new virus in real-world conditions. They often do this where they feel their secret access is about to be exposed and shut down.