Russian state-backed hackers have spent years developing and deploying a little-known malware strain to spy on Ukrainian government and military organizations, as well as entities of interest across Europe, according to new research.

The malware, dubbed StockStay, has been under active development since at least December 2022, researchers at Google said in a report published on Thursday. It was primarily used to target Ukrainian government and defense organizations, although early samples of the malware were also identified in Italy, the Netherlands, Poland and Germany.

Turla, also tracked as Secret Blizzard and Venomous Bear, is one of Russia's longest-running cyber-espionage groups and has been linked by Western governments and cybersecurity researchers to Russia's Federal Security Service (FSB).

Google said StockStay shares significant code and functionality with Kazuar, another Turla malware framework previously used in cyberespionage operations against military and defense targets in Ukraine. The researchers said they believe StockStay was deliberately developed in Kazuar's image, reflecting the group's experience with the older toolkit.

"The group appears to be investing in redundant, parallel malware ecosystems to ensure persistent access even when individual tools are discovered and remediated," Google said in a statement to Recorded Future News, describing Turla as "an ongoing and active threat."

Researchers said StockStay has evolved considerably since its first appearance. Originally disguised as a stock market application, the malware has more recently masqueraded as legitimate software such as PDF readers and calculator programs.

Victims were typically infected through phishing emails containing malicious Remote Desktop Protocol (RDP) configuration files that connected compromised computers to infrastructure controlled by the attackers, allowing them to deploy additional malware.

Researchers said Turla repeatedly used academic and diplomatic themes to lure victims. In one campaign, the attackers sent phishing emails from a compromised account belonging to a Ukrainian university. In another, they abused a diplomatic education platform to distribute malicious emails and files.