Turla Deploys STOCKSTAY Backdoor; Photo ZIP Campaign Targets Hospitality

Summary

Today's intelligence landscape is defined by a convergence of sophisticated, state-aligned espionage operations and targeted intrusion campaigns. The most significant signal is the detailed exposure of Turla's STOCKSTAY backdoor, a multi-component .NET implant that has been under continuous development since 2022 and is now being deployed against Ukrainian and European government and military targets. This is complemented by a Microsoft-identified campaign using photo-themed ZIPs to deliver a persistent Node.js implant to the hospitality sector, and a Unit 42 report on CL-STA-1062 targeting Southeast Asian governments. Defenders should prioritize hunting for these specific toolkits and their associated infrastructure, as they represent active, high-confidence threats.

Today's developments

• Turla's STOCKSTAY Backdoor Detailed: Google Threat Intelligence Group (GTIG) published an in-depth analysis of STOCKSTAY, a .NET backdoor attributed to the Russia-linked threat actor Turla (aka VENOMOUS BEAR). The implant has been active since at least December 2022 and is used for cyber espionage against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. STOCKSTAY is a multi-component system with a proxy-aware tunneler, an orchestrator, and a backdoor component that supports file, registry, and command execution. GTIG assesses with moderate confidence that STOCKSTAY and the KAZUAR toolkit share a common developer, noting code overlaps like the K1MORPHER obfuscation mechanism. The actor has deployed STOCKSTAY via malicious RDP files, compromised WordPress sites, and spear-phishing campaigns using academic and diplomatic lures.

• Photo ZIP Campaign Targets Hospitality: Microsoft Threat Intelligence identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant, designed to evade detection and maintain long-term access.

• CL-STA-1062 Hits Southeast Asian Governments: Unit 42 reported that a threat cluster tracked as CL-STA-1062 is targeting government entities and critical infrastructure in Southeast Asia for espionage. The attackers are using a hybrid toolkit that includes a custom backdoor called TinyRCT.

• Regulatory and Policy Developments: The FCC passed new cybersecurity rules for emergency systems and undersea cables, aiming to protect against hijacking and update federal security review rules. Separately, DHS Secretary Markwayne Mullin stated that the president has met with a likely CISA nominee, and the agency plans to hire 600 new staff. A federal court also ruled a Trump election-focused executive order illegal.

• Other Notable Events: A Chrome ad blocker with over 10 million installs was found to have dormant script injection capability. A new macOS malware named "Gaslight" uses prompt injection to disrupt AI-assisted analysis. A Minnesota man known as "Snoopy" was sentenced in connection with the 2022 DraftKings hack. Russia is alleged to have used Cellebrite to break into a human rights activist's phone.

Threat landscape signals

The day's reporting reveals a clear pattern of state-aligned actors investing in modular, multi-component toolkits that are continuously refined. Turla's STOCKSTAY, with its separation of network, orchestration, and execution functions, mirrors the architecture of its KAZUAR toolkit, indicating a deliberate strategy to build resilient, interchangeable capabilities. The use of environmental keying and hard-coded passwords in different operational phases shows a sophisticated understanding of operational security. The targeting of the hospitality sector with a Node.js implant, a less common technology for initial access, suggests actors are diversifying their technical approaches to evade signature-based detection. The concentration of espionage activity against Ukraine, Europe, and Southeast Asia underscores the geopolitical drivers of these campaigns. For defenders, the key takeaway is the need to hunt for the specific behavioral indicators and infrastructure (e.g., WebSocket C2 on Render, compromised WordPress sites) associated with these toolkits, rather than relying solely on static signatures.