Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/Threats/STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
Threats

STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit

Key Takeaways A new cyber-espionage campaign is deploying the STOCKSTAY backdoor against targets in Ukraine. The attackers, linked to the Russian state-sponsored Turla group, are leveraging malicious...

David kimber
David kimber
July 7, 2026 4 Min Read
3 0

Key Takeaways

  • A new cyber-espionage campaign is deploying the STOCKSTAY backdoor against targets in Ukraine.
  • The attackers, linked to the Russian state-sponsored Turla group, are leveraging malicious Remote Desktop Protocol (RDP) files and a recently patched WinRAR vulnerability (CVE-2025-8088).
  • STOCKSTAY employs a modular design, mimics legitimate software, and utilizes sophisticated command-and-control (C2) evasion techniques, including legitimate cloud platforms and a “dead drop” mailbox system.
  • The backdoor establishes persistence by dropping shortcut files into the Windows startup folder, ensuring it restarts with the system.
  • Organizations, particularly those in Ukraine, should prioritize patching WinRAR, enhancing user awareness, and monitoring outbound network traffic to detect and mitigate this threat.

A sophisticated cyber-espionage operation, recently brought to light, is actively deploying a stealthy backdoor identified as STOCKSTAY on computer systems within Ukraine. This campaign exploits deceptive Remote Desktop Protocol (RDP) files and a recently addressed vulnerability in WinRAR to achieve its objectives.

Table Of Content

  • Key Takeaways
  • Attribution to Turla APT Group
  • Exploiting RDP Files and WinRAR Vulnerability
  • Advanced Evasion Techniques
  • What You Should Do

The STOCKSTAY malware is designed to evade detection by masquerading as benign applications, such as stock market monitoring tools and calculator utilities. This tactic allows it to operate discreetly while systematically gathering sensitive intelligence from compromised machines.

Constructed in .NET, STOCKSTAY features a modular architecture comprising distinct components, each responsible for specific functions like command and control (C2) communications, file exfiltration, and command execution. This design offers attackers significant flexibility, enabling them to modify or replace individual modules without redeveloping the entire malware, thereby complicating defensive efforts and analysis.

Attribution to Turla APT Group

Security researchers at Picus Security have been closely monitoring this activity, linking it to the notorious threat group known as Turla, also referred to as Secret Blizzard. Picus Security said in a report, this group has a long history of espionage operations, dating back to 2004, and is widely believed to be affiliated with Russia’s Federal Security Service (FSB), making it one of the most enduring state-sponsored hacking entities globally.

Recent campaigns by Turla have increasingly focused on social engineering tactics, compelling victims to open malicious files rather than relying solely on complex zero-day exploits.

Exploiting RDP Files and WinRAR Vulnerability

In one observed incident, a compromised university email account was used to distribute a malicious RDP configuration file. This file, disguised as an invitation to a distance learning trial, silently initiated an outbound connection to attacker-controlled servers upon execution, facilitating further payload delivery.

Additionally, the group has weaponized a WinRAR path traversal vulnerability, tracked as CVE-2025-8088. This flaw allows attackers to embed STOCKSTAY components directly into a victim’s startup folder when a specially crafted RAR archive is extracted. These malicious archives are often disguised as legitimate tools, such as a military pay calculator.

The backdoor achieves persistence through shortcut files, such as MSViewer.lnk and MSDriver.lnk, which are placed in the Windows startup directory. These shortcuts, bearing innocuous names, ensure that STOCKSTAY automatically launches each time the compromised system boots, providing a resilient foothold against simple reboots or basic cleanup attempts.

Advanced Evasion Techniques

STOCKSTAY employs sophisticated methods to conceal its command and control traffic. Instead of direct communication with a dedicated C2 server, the malware routes its traffic through legitimate cloud platforms, including serverless hosting services and browser application platforms. This technique allows malicious communications to blend seamlessly with normal web traffic, making detection challenging for network defenders.

The malware also utilizes a “dead drop mailbox” mechanism, where infected machines and the attackers’ operators interact with a shared relay for message exchange, rather than establishing direct connections. This further obfuscates the C2 infrastructure, making it difficult for security teams to trace the communication path between victims and controllers. To add another layer of stealth, STOCKSTAY encrypts its configuration data using a hash derived from the victim’s hostname, meaning a captured sample cannot be easily analyzed in a generic sandbox environment without the specific decryption key tied to the target system.

Given these advanced evasion tactics, security organizations are advised to move beyond traditional signature-based detection and implement proactive defense strategies. Simulating known Turla attack patterns can help identify vulnerabilities in existing security postures before a real breach occurs. Furthermore, rigorous monitoring of outbound network connections to unfamiliar cloud hosting services is a crucial first step for network defenders.

Considering Turla’s propensity for disguising its tools as everyday utilities and embedding its traffic within trusted platforms, comprehensive user awareness training concerning unexpected RDP files and unsolicited archive attachments remains a fundamental defense mechanism. Regular updates of WinRAR and other archiving software are also essential to patch known vulnerabilities and close potential entry points exploited in these attacks.

What You Should Do

  • Patch WinRAR Immediately: Ensure all instances of WinRAR are updated to versions that address CVE-2025-8088 to prevent exploitation of the path traversal vulnerability.
  • Educate Users: Conduct awareness training on the dangers of opening unsolicited RDP files and extracting suspicious archive attachments, even if they appear to come from trusted sources.
  • Monitor Network Traffic: Implement robust network monitoring to detect unusual outbound connections, especially to unfamiliar cloud hosting services or dynamic DNS domains.
  • Review Startup Folders: Regularly audit Windows startup folders for suspicious shortcut files (e.g., .lnk files) that could indicate persistence mechanisms.
  • Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious process activity and file modifications characteristic of STOCKSTAY.
  • Threat Emulation: Perform threat emulation exercises simulating Turla’s TTPs to evaluate and improve the effectiveness of existing security controls.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain eset.ydns[.]eu Turla controlled dynamic DNS domain impersonating a security vendor 
Domain ekrn.ydns[.]eu Turla controlled dynamic DNS domain impersonating a security vendor <a rel="noreferrer noopener" target="_blank" href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/00e455ce-bca0-43b0-8ec9-bbf1a4db465f/STOCKSTAY-Backdoor-Uses-Malicious-RDP-Files-and-WinRAR-Exploit-to-Target-Ukraine.pdf?AWSAccessKeyId=ASIA2F3EMEYE33SPIN56&Signature=UchZ4UzX5dQYIb%2BMrmvaYYVN5a0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCUd56CZCWTwq4rv3HVKBAvMti87V0JVrqt85iosGTpvQIgF63wY4ETGi%2BcpEB5vwhXrcOncfrzNBAVPh6gT5fzmRMq8wQIbxABGgw2OTk3NTMzMDk3MDUiDP%2F12XeY93yKQWgYvSrQBOGUA%2FRM80qxvw5Y3X6oEKobrFCB0iBDjPQ3DkhaQdPSqSSGTuSDwGMh0%2BXvahD1O1ATBQpq7v8kAsj3Dl8JPfSpxrpXnrL1uACnpwVtozrUR3S3U1Vi9YWmSTOOw7PteynQVoFTfew7A2%2F8Xt2DhiW6Zbb4S0A66k9DluXCMdP%2BrT2zg8jVZ7nkHu6NMSKZkwrPYDL2d3rR%2Fdv7CL77UEa%2F1v84n8csYBi3PBJ9MlQmGZn1x77CQLtZ%2FLI1T7ZTpk7%2BDC%2FS11ExFkr2avExUBirnlmFt1vvA9o2u7AfbNkzyOyQ41c57PqVkq0vOsqU3oRIWmV4BXMXPi1NpJBnFeVXYFAMgxc6i7MZD%2F80Dsx2yh4fc2MSKpNEUbpOnxGg9adaI5I%2BAPYBTeGBU2vaYP2jNqJchXUGvXoDdmGdz%2FTbersa1qDoVp5yweT1WhfkH83JfPgiFNbUQBnfKHmhzG83kFF0dRxk6yirEgpR%2F5FG%2FWhs0dDtl4QDcvFDDSj4YUJwNGCvJLePoWvc27uj7BYfW87uv5oiCfqTOXrYqxhukwVO6DYFT3Qqnbykzmv9Yf%2BGZ8cYiSPek0JFr9UKwdKbR82OT65k0MvXokwzG1U0FcGQNRW%2BvnbMnx%2BdoJ%2FtVk25BO51B%2FM3DlKCoFa4xY87obBWoowscAzRhVCF3q9D7UNq1YFcjMgUBaJE1qPNuVvxcYhp%2BmwpFKhCN%2Bj97fPbCaUV%2Fma4Z8MJyec84wYTiwclC8GiVoy8eCOLvFUfbteYveoKFTt18mvRiTYQ7lCow3%2F2z0gY6mAEqexSlnY%2FIhB7%2FPox1llGztkwZv3%2BvV%2Fr5EvDRK9bfX9RpdKWS5jzoBeRppZTWPLBCABF1f39%2F1oWpJNhijx2ZM%2Bpnq7yW54ytA%2Fhe33aCuPrN8BXhIkpptkYlUWaya%2FUsO91fgizvVwTS

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwarePatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

CISA Audits Government Code Repositories With Anthropic’s Mythos AI Tool

Next Post

Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us