STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus
Google Threat Intelligence Group analyzed STOCKSTAY, a modular .NET backdoor developed and operated by Turla since late 2022, which uses a WebSocket-based C2 channel, RSA/AES encrypted communications, and IPC via WM_COPYDATA between its downloader, orchestrator, tunneler, and backdoor components. STOCKSTAY exhibits strong code, architectural, and obfuscation (K1MORPHER) overlaps with KAZUAR, suggesting a shared development team, and has been deployed via phishing (malicious RDP files, HTA lures) and, most recently, exploitation of CVE-2025-8088 in WinRAR to target Ukrainian military personnel. The actor leverages legitimate hosting platforms (Render, Glitch, GitHub) and compromised third-party/government infrastructure to obscure C2 infrastructure and complicate attribution.
- sha2560a545dd1b703cddfb3d582c8c70f65f556bbd580bfa836a387121eb837bda61bStockMarketSystem.exe - STOCKSTAY.STOCKTRADER backdoor
- sha2560d6b083208097d5b3e189891338540f6c64faaaaf268b0bb0b085dd53d5857b4Malicious HTA lure file 'Military personnel cash benefit calculator 2025.hta'
- sha25619e6ed42248f9d03beb343a7c09a864dcd3cd671c29e1e5eac93579225224ac9DiplomacyEduAI.msi - MSI containing STOCKSTAY components uploaded to GitHub account Roberto1983-ai
- sha2561a2ca8b8e0344fe3d80da7352206a470245443e2349a237bc093df934ddc011fsample.conf - early STOCKSTAY configuration file
- sha2561fc23ec18a94a599a34c74ef5f49a1e27acd37a07d5846661702b5e7e81a6a24StockMarketNews.exe - early combined STOCKSTAY executable
- sha25634fcbe7e90fc87a4f3766469c19a64f24672d7adb99e0198f5ba10d58911368bStockMarketNet.exe - STOCKSTAY.STOCKBROKER tunneler
- sha256447f430b46fad5a3f8e8c5aad1f8f7f79af069489c3d9c29224bb9f14f0c7bf4EditorToolsPdf.zip - archive containing STOCKSTAY components downloaded from compromised WordPress site
- sha256626330d22f77d9cbca9d40cc06568041703f194610c4c5a84bbb05a2e4ee7459styles.dat.exe - renamed STOCKSTAY.MARKETMAKER downloader executed by malicious HTA
- sha256667a8f568a611f2f3d84a366b7946b360e055bece9699c95aad619637ab72a38MSRender.exe - STOCKSTAY.STOCKTRADER backdoor used in November 2025 CVE-2025-8088 campaign
- sha2566da0b4c1a5d0d3fb6e6a2990a82ba51db1f68a3bba818baa46526a29731e2342calculator.rar - archive hosting malicious HTA lure and STOCKSTAY.MARKETMAKER, targeting Ukrainian military personnel
- sha25681aabf646619ea5f4a72457cd3aa17c5988003d67e6454f45e7cb33613021bacapps_libwallets_v1.3.rar - first modular STOCKSTAY sample archive (Dec 2023)
- sha2569164054d0bf0b7c8820da4f742860940998984555e65820e4fa8dd07b6bd67ecStockMarketView.exe - STOCKSTAY.STOCKMARKET orchestrator
- sha25698ce3c6e4dd05887ea619f2bbfeb2e2c2805ed07e85e119b79b828b7ef8be397GR3.exe - K1MORPHER-obfuscated STOCKSTAY.STOCKBROKER sample first showing new obfuscation technique
- sha2569fe944147c15a87963b06baf6473288d64c23655a0ba9369c35566272d8efc73docs.zip - archive containing STOCKSTAY components downloaded via MARKETMAKER from compromised Ukrainian government infrastructure
- sha256a40bf9c75d1bfa6d66f1179f2321de6589f80d3089d992797a9cb0e84f6196ceMSViewer.exe - STOCKSTAY.STOCKMARKET orchestrator used in November 2025 CVE-2025-8088 campaign
- sha256b064a3efb04ed77e6c57955089ce639e193d166c8ea2216c98c3e9b701ea2cffCopia.msi - MSI masquerading as ILSpy, installing STOCKSTAY, targeting Italian foreign affairs entity (Feb 2024)
- sha256c905cb512018cc55512c6a22677c3d6f389c47afd54d7c85797868fc4fcb90e9MSDriver.exe - STOCKSTAY.STOCKBROKER tunneler used in November 2025 CVE-2025-8088 campaign
- sha256d1e54270433a94aa3d45d888e4c62299bee3480eb2cb4a5489c7dda69d476c3ewebsocket-sharp.dll library instance compiled by the threat actor, used as a tracking artifact across STOCKSTAY.STOCKBROKER samples
- sha256d3fd32f915c239872c9e7ed9408b1f36dfcef03aa68f9a396d05c437667cdb43ClientMNGR2.exe - STOCKSTAY.STOCKBROKER sample uploaded from Poland (May 2025)
- sha256da8a96bc74e265f945f1cc6992c6dc0f9ea36ed1991f7b8d312db79d9bf78c40MicrosoftUpdateOneDrive.exe - STOCKSTAY.MARKETMAKER downloader deployed via malicious RDP file (March 2025)
- sha256e6d8192960a89d5480868b94088cccdaa1560f9c8a0b0282ced2b7c1f72341b6DriversPrinterGraphic.rar - early STOCKSTAY combined sample archive (Sept 2023)
- sha256f04f43b6f7c2d86109c495179b497f7fb45fd95816623de1b77900f71b4f99edserver.py - Python STOCKSTAY C2 controller uploaded to GitHub account ChikenFresh
- urlhxxps://basecon[.]com[.]ua/calculator[.]rarCompromised Ukrainian IT company infrastructure hosting the malicious HTA lure archive delivering STOCKSTAY.MARKETMAKER
- urlhxxps://circoloesteri[.]elezioni[.]idnet[.]it/admin-election/riepilogo[.]phpElection-themed phishing lure URL targeting Italian foreign affairs-associated organization, launched via malicious MSI custom action
- urlhxxps://online[.]zp[.]ua/wp-content/uploads/Tools/EditorToolsPdf[.]zipCompromised WordPress instance hosting STOCKSTAY component ZIP archive for download by STOCKSTAY.MARKETMAKER
- urlhxxps://www[.]drs[.]gov[.]ua/wp-content/themes/twentytwentyfive/docs[.]zipCompromised Ukrainian State Regulatory Service infrastructure used to host and serve STOCKSTAY component ZIP archive
Detection / HunterAnthropic
What Happened
Security researchers at Google uncovered a previously undocumented spy tool, nicknamed STOCKSTAY, built and used by a Russian government-linked hacking group called Turla. The malware disguises itself as harmless programs like stock-market trackers, calculators, or PDF viewers, and lets attackers steal files, take screenshots, and run commands on infected computers while hiding its communications inside normal-looking web traffic. The primary victims are Ukrainian government and military organizations, along with some entities connected to Italian foreign affairs, and the group recently exploited a flaw in the popular WinRAR file-compression software (CVE-2025-8088) to trick roughly 20 people into installing the malware via booby-trapped file attachments disguised as military documents. This matters because it shows an established, long-running espionage group continuing to refine tools for stealthy, long-term access to sensitive networks. Organizations, especially those in government, defense, or diplomacy, should ensure software like WinRAR is updated, be cautious of unexpected email attachments (especially RDP connection files or compressed archives), and consider hunting for the technical indicators described in this report.
Key Takeaways
- GTIG identified a new multi-component .NET backdoor, STOCKSTAY, actively developed by Russia-linked Turla since at least December 2022, sharing code overlaps and a common developer lineage with the KAZUAR toolkit.
- STOCKSTAY disguises itself as benign software (stock market viewers, PDF viewers, calculators) and communicates via encrypted WebSocket connections to C2 servers hosted on legitimate platforms like Render and Glitch.
- The malware uses environmental keying (hostname/domain hash) to decrypt its configuration only on intended targets, and hard-coded passwords during initial-access phishing operations.
- Turla deployed STOCKSTAY via malicious RDP configuration files, HTA lures, and most recently (November 2025) via CVE-2025-8088, a WinRAR path traversal vulnerability, in phishing campaigns against roughly 20 Ukrainian military-linked targets.
- Turla consistently uses academic/diplomatic-themed lures and has targeted Ukrainian government/military organizations as well as entities interested in Italian foreign policy.
Affected Systems
- Windows systems used by government and military personnel in Ukraine
- Windows systems belonging to entities interested in Italian foreign policy / Ministry of Foreign Affairs
- Users of WinRAR vulnerable to CVE-2025-8088
- Organizations using RDP with permissive inbound connection configuration
Vulnerabilities (CVEs)
- CVE-2025-8088 - WinRAR path traversal vulnerability exploited via malicious RAR archives to install STOCKSTAY components (exploited November 2025)
Attack Chain
Turla gains initial access primarily via spear-phishing using malicious RDP configuration files, malicious HTA lures, or (as of November 2025) WinRAR archives exploiting CVE-2025-8088 delivered to Ukrainian military/government personnel via compromised email accounts and file-sharing links. Once executed, STOCKSTAY.MARKETMAKER downloads and extracts the core STOCKSTAY components from compromised third-party infrastructure (e.g., compromised government sites, WordPress instances), establishes persistence via registry Run keys or LNK files in the startup directory, and launches the modular backdoor. The STOCKSTAY.STOCKBROKER component establishes a WebSocket connection to actor-controlled infrastructure (often hosted on legitimate platforms like Render or Glitch), relaying encrypted (RSA/AES) tasking to and from STOCKSTAY.STOCKMARKET, which orchestrates command execution via STOCKSTAY.STOCKTRADER for file exfiltration, registry manipulation, screen capture, and arbitrary command execution. Configuration data is encrypted using environmental keying (hostname/domain hash) for later-stage operations, or hard-coded passwords for initial-access deployments, and data is compressed/base64-encoded before exfiltration over the encrypted WebSocket channel.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Google Threat Intelligence Group blog post, GTI Collection
The article includes multiple YARA rules embedded in the 'Detections' section covering STOCKSTAY configuration files, crypto containers, window names, the MARKETMAKER downloader, the STOCKMARKET controller, the STOCKBROKER tunneler, the STOCKTRADER backdoor, and the K1MORPHER obfuscation routine (including a byte-pattern signature for the Squirrel3 RNG). Additional IOCs are made available via a GTI Collection for registered users.
Detection Engineering Assessment
EDR Visibility: Medium — EDR with process creation, file write, and registry modification telemetry could observe MARKETMAKER's autorun persistence, LNK/startup folder drops, and STOCKTRADER's subprocess creation, but heavy use of .NET, in-memory ZIP handling, and windowless subprocess execution with redirected stdout could reduce visibility without behavioral/.NET assembly monitoring. Network Visibility: Medium — WebSocket C2 traffic over TLS to legitimate cloud platforms (Render, Glitch) blends with normal traffic and evades naive domain reputation blocking; however, network monitoring capable of inspecting WSS handshakes/SNI to these third-party hosting domains, plus anomalous outbound connections from unexpected hosts, could provide detection opportunities. Detection Difficulty: Hard — STOCKSTAY's modular architecture, environmental keying, encrypted configuration disguised as legitimate cryptocurrency data, use of legitimate cloud WebSocket hosting for C2, and continuous obfuscation development (K1MORPHER) make both static and behavioral detection challenging without prior knowledge of the malware family or access to the specific YARA signatures provided.
Required Log Sources
- Windows Event ID 4688 (process creation) with command-line auditing
- Sysmon Event ID 1 (process creation), 3 (network connection), 11 (file creation), 13 (registry modification)
- Registry Run key monitoring
- Proxy/firewall logs showing WSS connections to *.onrender.com and *.glitch.me
- Email gateway logs for phishing attachments (RDP files, HTA, RAR archives)
- WinRAR/archive extraction logs if available
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for outbound WebSocket (WSS) connections established by unsigned or newly-installed .NET Windows Forms executables to third-party hosting platforms shortly after a phishing email or RDP file interaction. | Network connection logs, Sysmon Event ID 3, process-to-network correlation | Command and Control | Medium - legitimate applications also use these hosting platforms for WebSocket services |
| Hunt for new autorun registry entries or LNK files created in the startup folder pointing to executables with generic Microsoft-sounding names (e.g., 'MSViewer.exe', 'MSDriver.exe') that were not delivered via standard software deployment tooling. | Sysmon Event ID 13 (registry modification), Event ID 11 (file creation) in Startup folder | Persistence | Low - legitimate software rarely uses ambiguous generic naming combined with recent unusual creation timestamps |
| Investigate execution of mshta.exe launching a file rename-then-execute sequence (e.g., renaming a .dat file to .exe) shortly after opening an email attachment or downloaded archive. | Sysmon Event ID 1 (process creation) parent-child relationships, file rename events | Execution | Low - this specific rename-and-execute pattern is uncommon in benign HTA usage |
| Search for RDP client connections (mstsc.exe) initiated shortly after opening an email attachment, connecting to external/unusual RDP servers not previously seen in the environment's baseline. | Sysmon/EDR process creation for mstsc.exe, network connection logs on port 3389 outbound | Initial Access | Medium - legitimate remote work RDP usage could generate similar telemetry; requires baselining of normal RDP destinations |
| Hunt for archive extraction utilities (e.g., WinRAR) writing files outside the expected extraction directory, indicative of path traversal exploitation consistent with CVE-2025-8088. | File creation events correlated with archive extraction process, especially writes to Startup folder from an archive tool | Initial Access / Exploitation | Low - path traversal writes to sensitive directories from archive tools are highly anomalous |
Control Gaps
- Domain/URL reputation-based network blocking alone would likely miss C2 traffic hosted on legitimate cloud platforms like Render and Glitch
- Signature-based antivirus may fail against custom obfuscation (K1MORPHER) and continuously evolving component naming/hashes
- Email security filtering may not flag malicious RDP configuration file attachments as inherently dangerous by default
- Patch management gaps for WinRAR would leave organizations exposed to CVE-2025-8088 exploitation
Key Behavioral Indicators
- Unsigned .NET Windows Forms executables masquerading as stock market, PDF viewer, or calculator utilities
- New registry Run key entries or Startup folder LNK files referencing generically-named executables (e.g., MSViewer.exe, MSDriver.exe, MSRender.exe, StockMarketView.exe)
- Configuration files formatted as JSON referencing cryptocurrency exchange WebSocket endpoints (Binance, Coinbase, Bybit) as decoy content
- Windowless subprocess creation with redirected stdout originating from an otherwise dormant .NET application
- WebSocket connections to paths ending in /ws on third-party PaaS subdomains from unexpected host processes
False Positive Assessment
- Medium - Some behavioral indicators (WebSocket connections to legitimate cloud platforms, generic executable names, registry Run key persistence) can overlap with legitimate software behavior, requiring correlation across multiple signals to reduce false positives; the provided YARA rules targeting specific strings and byte patterns offer higher-confidence detection with lower false-positive risk.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting; consider isolating hosts showing signs of unexpected WebSocket connections to Render/Glitch subdomains combined with recently created autorun entries.
- If your email security or attachment filtering supports blocking .rdp configuration file attachments, consider enabling that control given their use as an initial access vector in this campaign.
- Consider prioritizing patching of WinRAR to a version that addresses CVE-2025-8088 across all endpoints where the software is installed.
- If EDR supports it, consider hunting for and terminating processes matching the generic Microsoft-imitating filenames described (MSViewer.exe, MSDriver.exe, MSRender.exe) if found outside expected legitimate contexts.
Infrastructure Hardening
- Evaluate whether outbound network policies can restrict or closely monitor WebSocket (WSS) traffic to consumer PaaS platforms such as Render.com and Glitch.me from workstation subnets.
- Consider implementing application allow-listing to prevent execution of unsigned or newly-dropped .NET executables from user-writable directories.
- If applicable, review and harden Group Policy Object (GPO) deployment processes and domain controller access controls, as Turla has previously abused GPO for malware deployment.
- Consider restricting outbound RDP connections from user endpoints to only sanctioned, allow-listed remote hosts to reduce risk from malicious RDP configuration file lures.
User Protection
- Consider deploying endpoint controls that block or sandbox execution of .hta files received via email or downloaded archives.
- Evaluate whether your archive extraction tooling (e.g., WinRAR) is fully patched and whether extraction can be restricted to sandboxed environments for untrusted archives.
- If your EDR supports behavioral detection, consider tuning alerts for process chains involving mshta.exe followed by file rename-and-execute activity.
- Consider monitoring for and alerting on connections to unfamiliar RDP servers initiated shortly after opening an email attachment.
Security Awareness
- Consider incorporating awareness training on the risks of opening RDP configuration file (.rdp) attachments from unsolicited or unexpected emails, especially those referencing academic or training portals.
- Consider briefing personnel, particularly in government, military, and diplomatic roles, on the risk of phishing emails using academic, diplomatic, or military-benefit themed lures (e.g., 'calculator' or 'training' documents).
- Consider reinforcing guidance around verifying legitimacy of file-sharing links (e.g., ukr.net) before downloading and extracting compressed archives, especially those claiming to relate to military logistics or benefits.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1204.002 - User Execution: Malicious File
- T1218.005 - System Binary Proxy Execution: Mshta
- T1203 - Exploitation for Client Execution
- T1105 - Ingress Tool Transfer
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1071.001 - Application Layer Protocol: Web Protocols
- T1102 - Web Service
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- T1027 - Obfuscated Files or Information
- T1140 - Deobfuscate/Decode Files or Information
- T1082 - System Information Discovery
- T1057 - Process Discovery
- T1113 - Screen Capture
- T1005 - Data from Local System
- T1560.001 - Archive Collected Data: Archive via Utility
- T1112 - Modify Registry
- T1090 - Proxy
Additional IOCs
- File Hashes:
e6d8192960a89d5480868b94088cccdaa1560f9c8a0b0282ced2b7c1f72341b6(SHA256) - DriversPrinterGraphic.rar - early STOCKSTAY combined sample archive (Sept 2023)1fc23ec18a94a599a34c74ef5f49a1e27acd37a07d5846661702b5e7e81a6a24(SHA256) - StockMarketNews.exe - early combined STOCKSTAY executable1a2ca8b8e0344fe3d80da7352206a470245443e2349a237bc093df934ddc011f(SHA256) - sample.conf - early STOCKSTAY configuration file81aabf646619ea5f4a72457cd3aa17c5988003d67e6454f45e7cb33613021bac(SHA256) - apps_libwallets_v1.3.rar - first modular STOCKSTAY sample archive (Dec 2023)9164054d0bf0b7c8820da4f742860940998984555e65820e4fa8dd07b6bd67ec(SHA256) - StockMarketView.exe - STOCKSTAY.STOCKMARKET orchestrator34fcbe7e90fc87a4f3766469c19a64f24672d7adb99e0198f5ba10d58911368b(SHA256) - StockMarketNet.exe - STOCKSTAY.STOCKBROKER tunneler0a545dd1b703cddfb3d582c8c70f65f556bbd580bfa836a387121eb837bda61b(SHA256) - StockMarketSystem.exe - STOCKSTAY.STOCKTRADER backdoorb064a3efb04ed77e6c57955089ce639e193d166c8ea2216c98c3e9b701ea2cff(SHA256) - Copia.msi - MSI masquerading as ILSpy, installing STOCKSTAY, targeting Italian foreign affairs entity (Feb 2024)da8a96bc74e265f945f1cc6992c6dc0f9ea36ed1991f7b8d312db79d9bf78c40(SHA256) - MicrosoftUpdateOneDrive.exe - STOCKSTAY.MARKETMAKER downloader deployed via malicious RDP file (March 2025)9fe944147c15a87963b06baf6473288d64c23655a0ba9369c35566272d8efc73(SHA256) - docs.zip - archive containing STOCKSTAY components downloaded via MARKETMAKER from compromised Ukrainian government infrastructured3fd32f915c239872c9e7ed9408b1f36dfcef03aa68f9a396d05c437667cdb43(SHA256) - ClientMNGR2.exe - STOCKSTAY.STOCKBROKER sample uploaded from Poland (May 2025)98ce3c6e4dd05887ea619f2bbfeb2e2c2805ed07e85e119b79b828b7ef8be397(SHA256) - GR3.exe - K1MORPHER-obfuscated STOCKSTAY.STOCKBROKER sample first showing new obfuscation technique6da0b4c1a5d0d3fb6e6a2990a82ba51db1f68a3bba818baa46526a29731e2342(SHA256) - calculator.rar - archive hosting malicious HTA lure and STOCKSTAY.MARKETMAKER, targeting Ukrainian military personnel0d6b083208097d5b3e189891338540f6c64faaaaf268b0bb0b085dd53d5857b4(SHA256) - Malicious HTA lure file 'Military personnel cash benefit calculator 2025.hta'626330d22f77d9cbca9d40cc06568041703f194610c4c5a84bbb05a2e4ee7459(SHA256) - styles.dat.exe - renamed STOCKSTAY.MARKETMAKER downloader executed by malicious HTA447f430b46fad5a3f8e8c5aad1f8f7f79af069489c3d9c29224bb9f14f0c7bf4(SHA256) - EditorToolsPdf.zip - archive containing STOCKSTAY components downloaded from compromised WordPress site19e6ed42248f9d03beb343a7c09a864dcd3cd671c29e1e5eac93579225224ac9(SHA256) - DiplomacyEduAI.msi - MSI containing STOCKSTAY components uploaded to GitHub account Roberto1983-aif04f43b6f7c2d86109c495179b497f7fb45fd95816623de1b77900f71b4f99ed(SHA256) - server.py - Python STOCKSTAY C2 controller uploaded to GitHub account ChikenFresha40bf9c75d1bfa6d66f1179f2321de6589f80d3089d992797a9cb0e84f6196ce(SHA256) - MSViewer.exe - STOCKSTAY.STOCKMARKET orchestrator used in November 2025 CVE-2025-8088 campaignc905cb512018cc55512c6a22677c3d6f389c47afd54d7c85797868fc4fcb90e9(SHA256) - MSDriver.exe - STOCKSTAY.STOCKBROKER tunneler used in November 2025 CVE-2025-8088 campaign667a8f568a611f2f3d84a366b7946b360e055bece9699c95aad619637ab72a38(SHA256) - MSRender.exe - STOCKSTAY.STOCKTRADER backdoor used in November 2025 CVE-2025-8088 campaign
- Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Run- Registry Run key used by STOCKSTAY.MARKETMAKER to establish autorun persistence for core STOCKSTAY components
- File Paths:
%LOCALAPPDATA%\Programs\SMN\- Installation directory used by STOCKSTAY MSI installer for core component executablesms-lib-math-core.dll- External module masquerading as legitimate Windows library, containing STOCKSTAY.STOCKMARKET's shared crypto/obfuscation routinesms-api-wmcpdt.dll- External module masquerading as legitimate Windows library, containing STOCKSTAY IPC logic (STOCKBROKER)ms-api-win-render.dll- External module masquerading as legitimate Windows library, containing STOCKSTAY.STOCKTRADER backdoor command handlerscalculator_2025_files\styles.dat.exe- Renamed STOCKSTAY.MARKETMAKER downloader executed after HTA lure renames styles.dat to an executableMSViewer.lnk- LNK shortcut dropped to stage/execute STOCKSTAY.STOCKMARKET, deployed to startup programs directory for persistenceMSDriver.lnk- LNK shortcut dropped to stage/execute STOCKSTAY.STOCKBROKER, deployed to startup programs directory for persistenceMSRender.lnk- LNK shortcut dropped to stage/execute STOCKSTAY.STOCKTRADER, deployed to startup programs directory for persistence
- Command Lines:
- Purpose: MSI custom action executed on install to open a phishing lure URL in the default browser, run before other install actions | Tools:
msiexec,viewer.exe| Stage: Initial Access / Delivery |viewer.exe <lure_url> - Purpose: HTA-triggered JScript renames a staged data file to an executable and silently launches it | Tools:
mshta.exe,WScript.Shell,Scripting.FileSystemObject| Stage: Execution |fso.MoveFile(oldName, newName); shell.Run(newName, 1, false)
- Purpose: MSI custom action executed on install to open a phishing lure URL in the default browser, run before other install actions | Tools: