🟠 High | Source: The Hacker News
Russian state-sponsored group Turla has deployed a previously unknown .NET backdoor, dubbed STOCKSTAY, targeting Ukrainian government and military organisations as well as entities with ties to Italian foreign policy. The malware runs on Windows and is under active development, suggesting ongoing and evolving espionage campaigns. Google’s Threat Intelligence Group has attributed the tool to Turla with high confidence.
Security Architect’s Take: Review endpoint detection coverage for .NET-based backdoors and ensure Windows environments — particularly those handling sensitive government or defence-related data — have behavioural monitoring and application allowlisting in place. If your organisation has any operational links to Ukraine or Italian foreign policy stakeholders, treat this as an elevated threat and audit outbound network connections for signs of command-and-control activity.
Original advisory: Google Details Turla’s New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks