The Russian-linked threat actor Turla has been using a new backdoor called StockStay to target government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. The backdoor, which was developed by Turla since at least December 2022, is designed for ongoing cyber espionage and shares significant code and functional overlaps with the Kazuar toolkit previously attributed to Turla.

Background and Context

Turla has been active in the threat landscape since at least 2004 and has a long history of targeting a wide range of industries, including western Ministries of Foreign Affairs and defense organizations. The group has been publicly attributed by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Center 16 of Russia's Federal Security Service (FSB). In recent years, Turla has been observed deploying sophisticated tools such as the Kazuar toolkit, which is capable of intercepting secure communications from Signal Messenger users.

The use of StockStay by Turla marks a new development in the group's arsenal and highlights their continued interest in targeting government and military organizations. The backdoor's design and functionality suggest that it is intended for ongoing cyber espionage, with capabilities such as file download/exfiltration/modification, folder tampering, screen capture, task processing, registry modification, process execution, and system information harvesting.

Why It Matters to the Industry

The use of StockStay by Turla has significant implications for the adult industry, which relies heavily on online platforms and infrastructure. The backdoor's capabilities suggest that it could be used to compromise sensitive data and disrupt operations. In addition, the fact that Turla is targeting government and military organizations in Ukraine raises concerns about the potential for similar attacks against other industries, including the adult sector.

The use of StockStay also highlights the ongoing threat posed by Russian-linked threat actors, which has been a concern for the industry in recent years. The backdoor's design and functionality suggest that it is intended to evade detection and remain undetected for extended periods, making it a challenging threat to mitigate.

What Comes Next

The discovery of StockStay by Turla highlights the need for adult industry platforms and operators to remain vigilant and proactive in their security measures. This includes implementing robust cybersecurity protocols, conducting regular vulnerability assessments, and staying up-to-date with the latest threat intelligence.

In addition, the use of StockStay suggests that Turla may be exploring new tactics and techniques to evade detection and compromise sensitive data. As such, it is essential for the industry to remain informed about emerging threats and adapt their security measures accordingly.

Key Facts

  • Turla has been using a new backdoor called StockStay since at least December 2022.
  • The backdoor is designed for ongoing cyber espionage and shares significant code and functional overlaps with the Kazuar toolkit.
  • StockStay targets government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy.
  • The backdoor's capabilities include file download/exfiltration/modification, folder tampering, screen capture, task processing, registry modification, process execution, and system information harvesting.
  • Turla has been publicly attributed by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Center 16 of Russia's Federal Security Service (FSB).