INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse
| 2026-06-29 11:40 CRITICAL HIGHExecutive Summary AI-generated
The Russian advanced persistent threat (APT) group, Gamaredon, has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine. The group's ultimate goal remains the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the war-torn country.
Gamaredon's tactics have been refined over time, with notable updates made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, suggesting that Gamaredon operators are probably government-affiliated employees.
The group has also continued to adapt its methods, including the use of spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. These campaigns employ archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders, which are responsible for dropping additional payloads.
Gamaredon's attacks have been known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files. The group has also used a wide range of legitimate services as data exfiltration channels and dead drop resolvers, obtaining details of the C2 server and pointing malware to infrastructure already hidden behind tunnels or serverless workers.
Furthermore, Gamaredon's attacks have weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder. This highlights the group's continued exploitation of known vulnerabilities and its ability to adapt to new security measures.
The primary targets of these efforts include Ukrainian governmental and military institutions, with Gamaredon also targeting other organizations in the region. The group's tactics have been refined over time, demonstrating a high degree of sophistication and adaptability.
As the threat continues to evolve, it is essential for defenders to remain vigilant and proactive in their defense strategies. This includes staying informed about the latest threats and tactics employed by Gamaredon, as well as implementing robust security measures to protect against these types of attacks.
Technical Mitigations AI-generated
* Use a reputable antivirus software and keep it up to date to protect against malware like the one used by Gamaredon.
* Be cautious when opening archive attachments or XHTML files, as they may contain malicious payloads that can compromise your system's security.
* Regularly scan your devices for signs of malware and update your operating system and applications promptly to prevent exploitation of known vulnerabilities.
* Use strong passwords and enable multi-factor authentication whenever possible to add an extra layer of protection against unauthorized access.
* Be wary of legitimate services being used as data exfiltration channels, such as those listed in the article (e.g. Telegra.ph Teletype), and report any suspicious activity to the relevant authorities.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
TurlaTurla
KazuarKazuar
CVE-2025-8088CVE-2025-8088
Target & Sectors
BENELUX
BENELUX
DACH
DACH
governmentgovernment
Incident Timeline
January 2021
Threat actors used PteroSetup, an older Visual Basic Script (VBScript) weaponizer, to target Ukraine.
Click on any entity below to view its context and source!
organisation
PteroSetup
Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued.
tactic
T1059.005 - Visual Basic
Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued.
organisation
VBScript
Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued.
organisation
SFX
The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader.
December 2022
Suspected development activity of malware began in December 2022.
December 2023
The Netherlands' VirusTotal service was compromised, allowing threat actors to upload a sample containing STOCKSTAY's separation of distinct role-based components.
Click on any entity below to view its context and source!
target_region
Netherlands
The separation of distinct role-based components in STOCKSTAY was first detected in a sample uploaded to VirusTotal in December 2023 from the Netherlands.
organisation
VirusTotal
The separation of distinct role-based components in STOCKSTAY was first detected in a sample uploaded to VirusTotal in December 2023 from the Netherlands.
January 2025
Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage to facilitate data exfiltration.
Click on any entity below to view its context and source!
tactic
T1059.001 - PowerShell
The attacks are also characterized by the introduction of six new malicious PowerShell tools,
broadening
its
custom malware arsenal
-
PteroDee
and
PteroCache
for fetching and executing PowerShell payloads in memory
PteroDum
for fetching and executing VBScript payloads in memory
PteroOdd
for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors
collaborated
with Turla
PteroEffigy
for fetching the command-and-control (C2) server using the GoFile cloud storage service
PteroPaste
, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools," ESET researcher Zoltán Rusnák said.
organisation
PteroCache
The attacks are also characterized by the introduction of six new malicious PowerShell tools,
broadening
its
custom malware arsenal
-
PteroDee
and
PteroCache
for fetching and executing PowerShell payloads in memory
PteroDum
for fetching and executing VBScript payloads in memory
PteroOdd
for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors
collaborated
with Turla
PteroEffigy
for fetching the command-and-control (C2) server using the GoFile cloud storage service
PteroPaste
, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools," ESET researcher Zoltán Rusnák said.
threat_actor
Turla
The attacks are also characterized by the introduction of six new malicious PowerShell tools,
broadening
its
custom malware arsenal
-
PteroDee
and
PteroCache
for fetching and executing PowerShell payloads in memory
PteroDum
for fetching and executing VBScript payloads in memory
PteroOdd
for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors
collaborated
with Turla
PteroEffigy
for fetching the command-and-control (C2) server using the GoFile cloud storage service
PteroPaste
, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools," ESET researcher Zoltán Rusnák said.
organisation
GoFile
The attacks are also characterized by the introduction of six new malicious PowerShell tools,
broadening
its
custom malware arsenal
-
PteroDee
and
PteroCache
for fetching and executing PowerShell payloads in memory
PteroDum
for fetching and executing VBScript payloads in memory
PteroOdd
for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors
collaborated
with Turla
PteroEffigy
for fetching the command-and-control (C2) server using the GoFile cloud storage service
PteroPaste
, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools," ESET researcher Zoltán Rusnák said.
organisation
Telegra.ph
These include -
Telegra.ph
Teletype
Rentry.co
Write.as
Dropbox
GoFile
DEV Community (dev.to)
organisation
Dropbox
These include -
Telegra.ph
Teletype
Rentry.co
Write.as
Dropbox
GoFile
DEV Community (dev.to)
organisation
DEV Community
These include -
Telegra.ph
Teletype
Rentry.co
Write.as
Dropbox
GoFile
DEV Community (dev.to)
organisation
DNS
"Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt."
early 2025
Phishing actors used a malicious RDP file attachment in an email to target devices, allowing Turla-controlled infrastructure to be established.
Click on any entity below to view its context and source!
tactic
Phishing
Timeline of STOCKSTAY observations
In at least one instance observed in early 2025, the Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed.
threat_actor
Turla
Timeline of STOCKSTAY observations
In at least one instance observed in early 2025, the Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed.
organisation
RDP
Timeline of STOCKSTAY observations
In at least one instance observed in early 2025, the Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed.
November 2025
Threat actors used a newly discovered vulnerability in WinRAR to deliver an implant via RAR archives that exploited CVE-2025-8088, targeting Ukraine.
Click on any entity below to view its context and source!
target_region
Ukraine
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
tactic
Phishing
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
vulnerability
CVE-2025-8088
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
infrastructure
Winrar
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
source_region
Russian Federation
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
organisation
CVE-2025
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
organisation
Sandworm
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
2026/05/27
Kazuar exploited vulnerabilities in Kernel, Bridge, and Worker modules to launch attacks on Ukraine.
Click on any entity below to view its context and source!
malware
Kazuar
Kazuar's use of
Kernel, Bridge, and Worker modules
within Kazuar was extensively detailed by the Microsoft Threat Intelligence team last month.
attribution
Kernel, Bridge
Kazuar's use of
Kernel, Bridge, and Worker modules
within Kazuar was extensively detailed by the Microsoft Threat Intelligence team last month.
attribution
Worker
Kazuar's use of
Kernel, Bridge, and Worker modules
within Kazuar was extensively detailed by the Microsoft Threat Intelligence team last month.
Jun 29, 2026
Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste, which infect USB drives and network drives with malicious LNK files.
Click on any entity below to view its context and source!
organisation
APT
Cloud Security / Malware
A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.
organisation
Gamaredon
"Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine," ESET
said
.
organisation
ESET
Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by
Gamaredon
against new targets, with most of them taking place in the second half of the year.
organisation
HTML
"
The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand.
organisation
HTA
"
The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand.
organisation
PteroSand
"
The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand.
organisation
PteroPaste
Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.
organisation
USB
Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.
organisation
LNK
Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.
infrastructure
Winrar
Some of the attacks have also weaponized a now-patched flaw in WinRAR (
CVE-2025-8088
) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.
infrastructure
Windows
Some of the attacks have also weaponized a now-patched flaw in WinRAR (
CVE-2025-8088
) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.
organisation
WinRAR
Some of the attacks have also weaponized a now-patched flaw in WinRAR (
CVE-2025-8088
) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.
2026/06/29
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse.
Click on any entity below to view its context and source!
organisation
Gamaredon Expands Ukraine Attacks
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse.
organisation
Cloud Service Abuse
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse.
threat_actor
Turla
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks.
The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called
STOCKSTAY
that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
One noteworthy aspect of the malware is that it has been employed by Turla at multiple distinct stages of their operations, one as a way to obtain initial access into environments that haven't been profiled previously and during post-exploitation following reconnaissance for execution on a specific host.
"This architecture somewhat resembles Turla's multi-hop Kazuar C2 infrastructure.
organisation
Google
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks.
organisation
New STOCKSTAY Backdoor Used
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks.
organisation
HTA
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER.
organisation
MSI
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER.
organisation
GitHub
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER.
organisation
RAR
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER.
organisation
HTML Application
Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER.
infrastructure
Windows
Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with
Kazuar
, a staple implant put to use by the adversary since 2017.
"STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source
websocket-sharp
library," GTIG
said
.
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
WebSocket
"STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source
websocket-sharp
library," GTIG
said
.
organisation
Dir
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
RmDir
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
Image
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
MultyTask
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
Windows Registry
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
RegDelete
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
RegWrite
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
Sysinfo
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
UnpackArchive
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
ChikenFresh
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
IP
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
organisation
STOCKSTAY
"
STOCKSTAY's overlaps with Kazuar stem from the similarities in how the responsibilities are delineated among different components.
organisation
IPC
"STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of
WM_COPYDATA
messages.
organisation
PDF
"
Evidence indicates that the implant was originally designed to mimic a stock market data viewing tool, before being adapted to masquerade as other harmless programs like PDF viewers and calculator utilities.
organisation
WordPress
The downloader then retrieves a ZIP archive containing the main STOCKSTAY components that's hosted on a compromised WordPress instance.
organisation
KAZUAR
"We believe that STOCKSTAY is being developed in KAZUAR’s image, with several design decisions likely spawning from the threat actor’s wealth of experience in conducting operations using this long-standing toolkit," Google said.
Tactical Metrics
Metrics
infrastructure
Winrar
Affected Product
Click for context!
Some of the attacks have also weaponized a now-patched flaw in WinRAR (
CVE-2025-8088
) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been
exploited
by a number of
Russian hacking groups
such as Sandworm,
Gamaredon
, and
RomCom
.
Metrics
infrastructure
Windows
Affected Product
Some of the attacks have also weaponized a now-patched flaw in WinRAR (
CVE-2025-8088
) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.
Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with
Kazuar
, a staple implant put to use by the adversary since 2017.
"STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source
websocket-sharp
library," GTIG
said
.
Some of the support commands of STOCKSTAY.STOCKTRADER is listed below -
Del, to delete the specified files
Dir, to enumerate the specified directories
Get, to fetch one or more specified files matching certain extensions
MkDir, to make one or more directories
RmDir, to delete the specified directories
Image, to perform a screen capture of the device's screen
MultyTask, to run a semi-colon-separated list of tasks at once
Put, to upload a file to the device
RegRead, to read a Windows Registry value
RegDelete, to delete a Windows Registry value
RegWrite, to set a Windows Registry value
Run, to execute a new process
Sysinfo, to gather system information
UnpackArchive, to extract the specified ZIP file to its current directory
Google said it identified a publicly accessible GitHub repository ("
ChikenFresh/google-ai-labs-it
") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address.
Intelligence Sources
The Hacker News
2026-06-26
The Hacker News
2026-06-29
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-30T06:32
Comprehensive Tactical Telemetry
Highly Correlated Entities
49x
organisation
Identified Entity
Gamaredon Expands Ukraine Attacks
entity
11x
timeline
Temporal Reference
2025
date
6x
target region
Target Country
Ukraine
country
5x
tactic
Cyber Operation Type
Exfiltration
tactic
4x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
3x
attribution
Attributing Entity
Google Threat Intelligence Group
authority
2x
infrastructure
Affected Product
Winrar
software
Contextual Telemetry
Context Block
7 METRICS
industry
Targeted Sector
Government
sector
general metric
Distinct Phishing Campaigns
35
distinct phishing campaigns
vulnerability
Exploited CVE
CVE-2025-8088
cve
general metric
Jun
29
jun
threat actor
APT Group
Turla
actor
source region
Origin Country
Russian Federation
country
malware
Malware Payload
Kazuar
tool
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.