STOCKSTAY Shows Secure Messaging Still Ends At The Endpoint

Google Threat Intelligence Group published a June 25, 2026 analysis of STOCKSTAY, a multi-component .NET backdoor it tracks as part of the Russia-linked Turla toolset. GTIG says STOCKSTAY has been developed and deployed since at least December 2022, with targeting that includes Ukrainian government and military organizations and entities tied to Italian foreign policy. The report describes a proxy-aware WebSocket command channel, encrypted configuration, modular task execution, file collection, screen capture, persistence, and deployment through malicious RDP files.

The Protocol Report lesson is not that one secure messenger failed. It is that sensitive conversations become vulnerable when the endpoint is owned. GTIG notes Turla has also used specialized scripts to intercept secure communications from Signal Messenger users. If a threat actor can control the desktop where mail, files, group chats, admin consoles, and messaging clients are open, encryption in transit is only one layer. High-risk communities need endpoint posture, lure handling, device-list review, and telemetry that treats communication devices as part of the security boundary.

GTIG's report describes STOCKSTAY as a multi-component backdoor written in .NET and using Windows Forms. The backdoor communicates with command infrastructure through a secure WebSocket connection and separates network relay, orchestration, and host task execution into components GTIG tracks as STOCKBROKER, STOCKMARKET, and STOCKTRADER. GTIG says the malware originally masqueraded as a stock-market data tool and later appeared under other benign-looking disguises such as PDF viewers and calculator utilities.

The report links the capability to Turla, also tracked as Secret Blizzard and Venomous Bear, with code and functional overlaps to KAZUAR. MITRE ATT&CK describes Turla as a Russia-attributed cyber espionage group that has targeted government, embassy, military, education, research, and pharmaceutical victims across many countries since at least 2004. GTIG's contribution is not simply naming the group. It explains how this specific implant works and how it has changed over several years.

Encrypted messaging often focuses attention on server trust, transport encryption, key agreement, and metadata. Those issues matter. They do not remove the endpoint problem. If malware can capture screenshots, list files, run commands, read local application data, or observe a user as they interact with private conversations, message encryption has already been bypassed at the place where plaintext is rendered.

That is why GTIG's note about Turla using specialized scripts to intercept secure communications from Signal Messenger users is operationally important. The right conclusion is restrained: it does not mean Signal's protocol is broken, and it does not mean every secure chat is exposed. It means organizations that rely on secure messaging for sensitive work must defend the devices where messages are read, not only the protocol that moves them.

GTIG observed STOCKSTAY deployments after phishing attempts using malicious RDP configuration files. The lure theme matters because it is plausible for the target set: education, diplomacy, military, and training. A victim is not necessarily asked to run a suspicious executable directly. They may be asked to open an RDP file framed as access to an online training portal, which then creates a remote connection to actor-controlled infrastructure and enables follow-on deployment.

For sensitive communities, RDP files deserve the same suspicion as macro documents and installer packages. Many community operators and small teams have trained users to distrust executable attachments, but RDP configuration files, meeting helpers, remote support links, and browser-based access portals can still slip through. Controls should include attachment filtering, file association policy, remote desktop restrictions, browser isolation for high-risk lures, and user-visible reporting channels for strange access requests.

GTIG documents STOCKTRADER commands for file listing, targeted file retrieval, file upload, directory creation and deletion, process execution, registry read and write, registry deletion, system survey, screenshot capture, and multi-task processing. File retrieval can search directories for target extensions, place matches into an in-memory ZIP archive, and encode results for transmission. The implant also creates unique infection identifiers and uses key material to encrypt outbound data.

Those capabilities map cleanly to communication risk. A compromised endpoint may reveal exported chat archives, downloaded attachments, screenshots of private rooms, browser sessions to admin consoles, cloud-drive folders used by the group, SSH keys, passkey-management pages, and recovery codes. Even when the attacker does not directly read a chat database, the surrounding workspace often contains enough context to reconstruct sensitive work.

Indicators are useful, but GTIG's report shows why behavior matters. STOCKSTAY has changed disguises, evolved component roles, and used environmental keying to limit what analysts can see outside the intended environment. A static blocklist will miss variants and related tooling. Detection should combine file reputation, execution path, parent process, RDP file handling, WebSocket destinations, unusual use of Windows Forms utilities, registry persistence, and outbound archives.

Network teams should not treat WebSocket traffic as automatically benign because it is common in modern apps. The question is whether a desktop that usually talks to chat, browser, and collaboration services is suddenly maintaining encrypted WebSocket sessions to unfamiliar infrastructure after a lure. Endpoint teams should correlate that with process lineage, command execution, screenshot API use, file collection, and changes to startup keys or scheduled persistence.

For journalists, researchers, moderators, crypto teams, legal teams, and political organizations, the answer is not to abandon secure messaging. The answer is to scope it correctly. Put the most sensitive rooms on hardened devices. Keep admin work out of everyday browsing profiles. Disable unnecessary remote desktop handling. Review linked devices after travel, incident reports, and phishing exposure. Make it easy to report suspicious files without embarrassment or delay.

Incident response should assume that a device compromise can expose messages already rendered on that device, files downloaded from those messages, and tokens for linked services. Rotate credentials, remove linked devices, reissue keys where the product supports it, review recent file access, and notify room owners with a factual scope. Encryption is still valuable. It narrows who can read messages in transit and at rest. It is not a substitute for endpoint containment.