Cybersecurity researchers have found a distant entry toolkit of Russian-origin that is distributed by way of malicious Home windows shortcut (LNK) information which are disguised as personal key folders.
The CTRL toolkit, based on Censys, is custom-built utilizing .NET and contains varied executables” to facilitate credential phishing, keylogging, Distant Desktop Protocol (RDP) hijacking, and reverse tunneling by way of Quick Reverse Proxy (FRP).
“The executables present encrypted payload loading, credential harvesting by way of a sophisticated Home windows Hiya phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling via FRP,” Censys safety researcher Andrew Northern mentioned.
The assault floor administration platform mentioned it recovered CTRL from an open listing at 146.19.213[.]155 in February 2026. Assault chains distributing the toolkit depend on a weaponized LNK file (“Personal Key #kfxm7p9q_yek.lnk”) with a folder icon to trick customers into double-clicking it.
This triggers a multi-stage course of, with every stage decrypting or decompressing the following, till it results in the deployment of the toolkit. The LNK file dropper is designed to launch a hidden PowerShell command, which then wipes current persistence mechanisms from the sufferer’s Home windows Startup folder.
It additionally decodes a Base64-encoded blob and runs it in reminiscence. The stager, for its half, exams TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads from the server. Moreover, it modifies firewall guidelines, units up persistence utilizing scheduled duties, creates backdoor native customers, and spawns a cmd.exe shell server on port 5267 that is accessible via the FRP tunnel.
One of many downloaded payloads, “ctrl.exe,” capabilities as a .NET loader for launching an embedded payload, the CTRL Administration Platform, which might serve both as a server or a shopper relying on the command-line arguments. Communication happens over a Home windows named pipe.
“The twin-mode design means the operator deploys ctrl.exe as soon as on the sufferer (by way of the stager), then interacts with it by operating ctrl.exe shopper via the FRP-tunneled RDP session,” Censys mentioned. “The named pipe structure retains all C2 command visitors native to the sufferer machine — nothing traverses the community besides the RDP session itself.”
The supported instructions enable the malware to collect system data, launch a module designed for credential harvesting, and begin a keylogger as a background service (if configured as a server) to seize all keystrokes to a file named “C:Tempkeylog.txt” by putting in a keyboard hook, and exfiltrate the outcomes.
The credential harvesting element is launched as a Home windows Presentation Basis (WPF) software that mimics an actual Home windows PIN verification immediate to seize the system PIN. The module, apart from blocking makes an attempt to flee the phishing window by way of keyboard shortcuts like Alt+Tab, Alt+F4, or F4, validates the entered PIN in opposition to the actual Home windows credential immediate by way of UI automation through the use of the SendKeys() technique.
“If the PIN is rejected, the sufferer is looped again with an error message,” Northern defined. “The window stays open even when the PIN efficiently validates in opposition to the precise Home windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the identical keylog file utilized by the background keylogger.”
One of many instructions constructed into the toolkit permits it to ship toast notifications impersonating internet browsers like Google Chrome, Microsoft Edge, Courageous, Opera, Opera GX, Vivaldi, Yandex, and Iron to conduct further credential theft or ship different payloads. The 2 different payloads dropped as a part of the assault are listed beneath –
- FRPWrapper.exe, which is a Go DLL that is loaded in reminiscence to ascertain reverse tunnels for RDP and a uncooked TCP shell via the operator’s FRP server.
- RDPWrapper.exe, which allows limitless concurrent RDP classes.
“The toolkit demonstrates deliberate operational safety. Not one of the three hosted binaries comprise hard-coded C2 addresses,” Censys mentioned. “All knowledge exfiltration happens via the FRP tunnel by way of RDP — the operator connects to the sufferer’s desktop and reads keylog knowledge via the ctrl named pipe. This structure leaves minimal community forensic artifacts in comparison with conventional C2 beacon patterns.”
“The CTRL toolkit demonstrates a pattern towards purpose-built, single-operator toolkits that prioritize operational safety over characteristic breadth. By routing all interplay via FRP reverse tunnels to RDP classes, the operator avoids the network-detectable beacon patterns that characterize commodity RATs.”
