HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Turla Deploys New StockStay Malware via Phishing RDP Lures Against Ukrainian Government and European Entities

Russian‑state hackers from Turla have been delivering a new malware family, StockStay, through phishing emails that contain malicious RDP configuration files. The campaign targets Ukrainian government and defense organizations and has also reached entities in Italy, the Netherlands, Poland and Germany. For SOC 2‑ready organizations this underscores the need for strong remote‑access controls and documented security‑awareness training.

LiveThreat™ Intelligence · 📅 June 26, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Turla Deploys New StockStay Malware via Phishing RDP Lures Against Ukrainian Government and European Entities

What Happened — Russian‑state backed group Turla (aka Secret Blizzard/Venomous Bear) has been observed using a newly‑developed malware family called StockStay. Since at least December 2022 the tool has been delivered through phishing emails that contain malicious Remote Desktop Protocol (RDP) configuration files, giving the attackers foothold on Ukrainian government and defense networks and on organizations in Italy, the Netherlands, Poland and Germany.

Why It Matters for Compliance & Audit Readiness

  • The campaign exploits weak remote‑access controls and user susceptibility to phishing – exactly the scenarios SOC 2 CC6.1 (Logical Access) and CC7.1 (Security Awareness) are designed to mitigate and evidence.
  • Continuous monitoring of RDP sessions and documented security‑awareness training provide the audit‑ready evidence needed to demonstrate that “access is granted only to authorized users” and “employees are trained to recognize social‑engineering attacks.”
  • Mapping this incident to your SOC 2 control set helps you prove due diligence to auditors and regulators while closing the gap that allowed the intrusion.

Who Is Affected — Government & defense agencies in Ukraine and several European states; any third‑party service providers that support those entities.

Recommended Actions

  • Review and harden RDP/remote‑access configurations; enforce MFA and least‑privilege for all remote sessions.
  • Conduct targeted phishing‑simulation campaigns and refresh security‑awareness training focused on malicious RDP files.
  • Deploy continuous logging and alerting on remote‑access activity to generate SOC 2‑compliant evidence of control effectiveness.

Source: The Record – Turla group adds more malware to Russia’s espionage efforts against Ukraine

Technical Notes

  • Attack vector: Phishing emails with malicious RDP configuration files.
  • Malware behavior: StockStay masquerades as legitimate software (stock apps, PDF readers, calculators) and establishes persistent back‑doors.
  • No public CVE; the threat leverages credential‑theft and remote‑access abuse rather than a software vulnerability.
📰 Original Source
https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →