STOCKSTAY Backdoor Uses Malicious RDP Files and WinRAR Exploit to Target Ukraine

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly detailed cyber-espionage campaign is using fake remote desktop files and a recently patched WinRAR flaw to plant a stealthy backdoor called STOCKSTAY on computers in Ukraine.

The malware disguises itself as everyday software, including stock market trackers and calculator apps, to avoid raising suspicion while it quietly collects information from infected machines.

STOCKSTAY is built in .NET and made up of several separate components, each handling a different job such as talking to its controllers, moving files, or running commands.

This modular design lets the attackers swap pieces in and out without rebuilding the whole tool, making the malware harder to fully dismantle once discovered.

Researchers at Picus Security have been tracking this activity as part of a broader look at the threat group behind it, known as Turla or Secret Blizzard.

The group has been linked to Russia’s Federal Security Service and has run espionage operations since 2004, making it one of the longest active state backed hacking teams in the world.

Turla’s recent operations have leaned heavily on tricking victims into opening booby trapped files rather than using flashy exploits alone.

In one case, a compromised university email account sent out a malicious RDP configuration file disguised as a distance learning trial, which quietly opened an outbound connection to attacker controlled servers.

Picus Security said in a report shared with Cyber Security News (CSN) that the group also weaponized a WinRAR path traversal bug, tracked as CVE-2025-8088, to drop STOCKSTAY files straight into a victim’s startup folder during archive extraction.

STOCKSTAY Backdoor Uses Malicious RDP Files

The malicious RDP files act as a simple but effective doorway. Once a victim opens one, it silently connects out to infrastructure controlled by the attackers, which then pushes down additional payloads onto the machine without any obvious warning signs.

The WinRAR exploit takes a different but equally sneaky route. A booby trapped RAR archive, sometimes disguised as a military pay calculator tool, exploits the path traversal flaw so that simply extracting the archive writes STOCKSTAY components and shortcut files outside the folder the user expects.

Those shortcuts, given innocent sounding names like MSViewer.lnk and MSDriver.lnk, get placed in the Windows startup folder so the backdoor automatically restarts every time the computer boots up. This gives the attackers a durable foothold that survives simple reboots or basic cleanup attempts.

Hiding Command And Control Traffic

STOCKSTAY does not talk directly to a single attacker controlled server. Instead, its traffic passes through legitimate cloud platforms such as serverless hosting services and browser app platforms, letting the malicious communication blend in with ordinary web traffic.

The malware even uses a technique that resembles a dead drop mailbox, where infected machines and the attacker’s operators both check the same relay for messages instead of contacting each other directly.

This setup makes it much harder for network defenders to spot a clear line between victim and controller.

This means a captured sample cannot simply be analyzed on a researcher’s own machine, since the decryption key depends on the exact system it was meant to infect.

Given these techniques, security teams are encouraged to test their defenses against known Turla behaviors rather than relying on signature detection alone.

Simulating these attack patterns can help organizations spot gaps before real intrusions occur, and reviewing outbound connections to unfamiliar cloud hosting services is a practical first step for defenders.

Since Turla frequently disguises its tools as common utilities and hides its traffic inside trusted platforms, basic awareness training around unexpected RDP files and unsolicited archive attachments remains one of the simplest ways to reduce risk.

Keeping WinRAR and similar archive tools updated also closes off one of the entry points seen in these attacks.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain eset.ydns[.]eu Turla controlled dynamic DNS domain impersonating a security vendor 
Domain ekrn.ydns[.]eu Turla controlled dynamic DNS domain impersonating a security vendor 
URL wss://google-ai-labs-it.onrender.com/ws STOCKSTAY WebSocket C2 endpoint hosted on serverless platform 
URL wss://wool-basalt-clock.glitch.me/ws STOCKSTAY WebSocket C2 endpoint hosted on Glitch 
URL www.drs.gov.ua/…/docs.zip Malicious archive hosted on compromised Ukrainian state site 
URL basecon.com.ua/calculator.rar Malicious archive hosted on compromised Ukrainian IT company site 
URL hxxp://www.msftconnecttest[.]com/redirect Hijacked connectivity check redirect used to deliver ApolloShadow 
URL https://eset.ydns[.]eu/post.php C2 endpoint used to receive exfiltrated host survey data 
File DiplomacyEduAI.msi STOCKSTAY installer disguised as a legitimate application 
File Copia.msi STOCKSTAY installer impersonating a .NET decompiler 
File calculator.rar Malicious RAR archive disguised as a military pay calculator 
File MSViewer.lnk Startup shortcut launching STOCKSTAY.STOCKMARKET component 
File MSDriver.lnk Startup shortcut launching STOCKSTAY.STOCKBROKER component 
File MSRender.lnk Startup shortcut launching STOCKSTAY.STOCKTRADER component 
File weather_data1.db SQLite database used as a disguised C2 mailbox on infected hosts 
File ms-lib-math-core.dll STOCKSTAY module disguised as a system library 
File ms-api-wmcpdt.dll STOCKSTAY module disguised as a system library 
File ms-api-win-render.dll STOCKSTAY module disguised as a system library 
Vulnerability CVE-2025-8088 WinRAR path traversal flaw exploited to drop STOCKSTAY components 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.