Back to Intelligence

Turla STOCKSTAY .NET Espionage Tool: Detection and Defense Strategy

SA
Security Arsenal Team
June 27, 2026
6 min read

Google Threat Intelligence Group has recently exposed STOCKSTAY, a previously undocumented .NET unauthorized access mechanism attributed to the Russian state-sponsored threat actor Turla. This sophisticated tool has been actively deployed against government and military organizations in Ukraine, as well as entities with a vested interest in Italian foreign policy.

As a veteran security consultant, I view this disclosure with significant concern. Turla is historically a highly capable, stealthy actor known for developing custom tooling that evades standard signature-based detection. The emergence of STOCKSTAY—a .NET-based mechanism—signals an evolution in their tradecraft, likely designed to blend in with legitimate development environments and bypass older heuristic models.

Technical Analysis

Threat Actor: Turla (Waterbug, Venomous Bear) Targeted Sector: Government, Military, Diplomatic/Foreign Policy entities Platform: Windows (via .NET Framework)

The Mechanism

STOCKSTAY is characterized as a continually developed unauthorized access mechanism. Unlike commodity malware, it is tailored for long-term espionage (CNE). While the specific vulnerability exploited (CVE) for initial access was not disclosed in the Google report, the tool itself is a .NET payload.

TTPs and Attack Chain:

  • Framework: Built on the .NET framework, STOCKSTAY likely leverages common Windows libraries (clr.dll, mscoree.dll) to execute code, making it difficult to distinguish from legitimate administrative .NET applications.
  • Persistence: .NET malware often utilizes Registry Run keys, Scheduled Tasks, or COM hijacking to maintain access. Given Turla's history, we anticipate STOCKSTAY uses "living-off-the-land" (LotL) binaries (LOLBins) like regsvcs.exe or regasm.exe to proxy execution of malicious assemblies.
  • Evolution: The report notes the tool is "continually developed," suggesting Turla is actively modifying its code signature and C2 communication patterns to thwart detection.

Exploitation Status:

  • Confirmed Active Exploitation: Yes. Google has observed active deployment against Ukrainian and diplomatic targets.
  • CVEs: No specific CVE identifiers were provided in the source material for STOCKSTAY itself. The threat is the tool and the unauthorized access it facilitates, rather than a specific software vulnerability at this stage.

Detection & Response

Detecting a .NET-based framework like STOCKSTAY requires a shift from simple hash matching to behavioral analysis. We are hunting for anomalous .NET execution chains and persistence mechanisms.

SIGMA Rules

YAML
---
title: Potential STOCKSTAY Activity - Unsigned .NET Binary in User Space
id: 89a1c3d4-5f6e-4a2b-9c8d-1e2f3a4b5c6d
status: experimental
description: Detects the execution of unsigned .NET executables from user profile directories, a common tactic for Turla .NET payloads like STOCKSTAY.
references:
  - https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.defense_evasion
  - attack.t1027
  - attack.persistence
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\AppData\Roaming\'
      - '\AppData\Local\'
    Image|endswith:
      - '.exe'
    Company|contains:
      - 'Microsoft Corporation'
  filter_legit:
    Signed: 'true'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate unsigned internal tools
level: high
---
title: Suspicious .NET Assembly Loading via LOLBin
id: 2b3f4a5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c
status: experimental
description: Detects potential proxy execution of .NET assemblies using Windows AppLocker-approved binaries (regasm, regsvcs) often abused by espionage tools.
references:
  - https://attack.mitre.org/techniques/T1218/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.defense_evasion
  - attack.t1218
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\regasm.exe'
      - '\regsvcs.exe'
      - '\installutil.exe'
    CommandLine|contains:
      - '.dll'
  condition: selection
falsepositives:
  - Software installation or developer activity
level: medium
---
title: PowerShell Loading .NET Assemblies from Suspicious Paths
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects PowerShell loading .NET assemblies (Add-Type) from non-standard directories potentially indicative of STOCKSTAY loader.
references:
  - https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'Add-Type'
      - '-AssemblyName'
    CommandLine|contains:
      - '\AppData\'
      - '\Public\'
      - '\Temp\'
  condition: selection
falsepositives:
  - Administrative scripts
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for processes loading the .NET Common Language Runtime (clr.dll) that are not standard development tools, originating from user directories or temporary paths.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious .NET runtime loads indicating potential STOCKSTAY execution
DeviceImageLoadEvents
| where FileName =~ "clr.dll"
| where InitiatingProcessFolderPath !contains "C:\\Windows\\Microsoft.NET\\"
| where InitiatingProcessFolderPath !contains "C:\\Program Files\\"
| where InitiatingProcessFolderPath !contains "C:\\Program Files (x86)\\"
| where InitiatingProcessFolderPath contains "C:\\Users\\"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, FileName, FolderPath, SHA256
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for unsigned DLLs or EXEs in common persistence locations that exhibit .NET characteristics (referencing System assemblies).

VQL — Velociraptor
-- Hunt for unsigned binaries in persistence paths potentially linked to STOCKSTAY
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs=[
    "C:\\Users\\*\\AppData\\Roaming\\*\\*.dll",
    "C:\\Users\\*\\AppData\\Roaming\\*\\*.exe",
    "C:\\Users\\*\\AppData\\Local\\Temp\\*.dll"
])
WHERE NOT IsSigned
LIMIT 100

Remediation Script (PowerShell)

Use this script to audit the environment for suspicious unsigned .NET binaries in user profile directories—a key indicator of STOCKSTAY-style persistence.

PowerShell
# Audit for suspicious unsigned binaries in user profiles
Write-Host "Scanning for unsigned executables in user profiles..." -ForegroundColor Cyan

$Paths = @("C:\Users\*\AppData\Roaming\*.exe", "C:\Users\*\AppData\Local\Temp\*.dll")
$SuspiciousFiles = @()

foreach ($Path in $Paths) {
    if (Test-Path (Split-Path $Path -Parent)) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Signature = Get-AuthenticodeSignature -FilePath $_.FullName
            if ($Signature.Status -ne 'Valid') {
                $SuspiciousFiles += [PSCustomObject]@{
                    File     = $_.FullName
                    Signed   = $Signature.Status
                    Modified = $_.LastWriteTime
                }
            }
        }
    }
}

if ($SuspiciousFiles.Count -gt 0) {
    Write-Host "Potential threat artifacts found:" -ForegroundColor Red
    $SuspiciousFiles | Format-Table -AutoSize
} else {
    Write-Host "No unsigned artifacts found in standard persistence paths." -ForegroundColor Green
}

Remediation

Since STOCKSTAY is a malware tool and not a vulnerability in a specific product, "patching" refers to removing the artifact and hardening the environment.

  1. Isolate Compromised Systems: Immediately identify and isolate systems exhibiting the TTPs described above.
  2. Artifact Removal: Use the VQL and PowerShell scripts above to locate and remove the malicious .exe or .dll files. Ensure you check for Scheduled Tasks or Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) pointing to these files.
  3. Application Whitelisting (AppLocker/WDAC): Enforce strict policies that only allow signed Microsoft binaries and approved internal software to execute from user directories (AppData, Temp). This effectively neutralizes STOCKSTAY's ability to run.
  4. Network Segmentation: Block C2 infrastructure. While specific IOCs are not published here, monitoring for anomalous outbound connections from endpoints to non-corporate IPs is essential.
  5. Privileged Access Management (PAM): Turla often steals credentials. Rotate all credentials for privileged accounts used on the affected networks immediately.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringturlastockstaydotnetwindows

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action