Google Threat Intelligence Group analyzed STOCKSTAY, a modular .NET backdoor developed and operated by Turla since late 2022, which uses a WebSocket-based C2 channel, RSA/AES encrypted communications, and IPC via WM_COPYDATA between its downloader, orchestrator, tunneler, and backdoor components. STOCKSTAY exhibits strong code, architectural, and obfuscation (K1MORPHER) overlaps with KAZUAR, suggesting a shared development team, and has been deployed via phishing (malicious RDP files, HTA lures) and, most recently, exploitation of CVE-2025-8088 in WinRAR to target Ukrainian military personnel. The actor leverages legitimate hosting platforms (Render, Glitch, GitHub) and compromised third-party/government infrastructure to obscure C2 infrastructure and complicate attribution.