Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that's distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders.
The CTRL toolkit, according to Censys, is custom-built using .NET and includes various executables" to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling via Fast Reverse Proxy (FRP).
"The executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP," Censys security researcher Andrew Northern said.
The attack surface management platform said it recovered CTRL from an open directory at 146.19.213[.]155 in February 2026. Attack chains distributing the toolkit rely on a weaponized LNK file ("Private Key #kfxm7p9q_yek.lnk") with a folder icon to trick users into double-clicking it.
This triggers a multi-stage process, with each stage decrypting or decompressing the next, until it leads to the deployment of the toolkit. The LNK file dropper is designed to launch a hidden PowerShell command, which then wipes existing persistence mechanisms from the victim's Windows Startup folder.
It also decodes a Base64-encoded blob and runs it in memory. The stager, for its part, tests TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads from the server. Furthermore, it modifies firewall rules, sets up persistence using scheduled tasks, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 that's accessible through the FRP tunnel.
One of the downloaded payloads, "ctrl.exe," functions as a .NET loader for launching an embedded payload, the CTRL Management Platform, which can serve either as a server or a client depending on the command-line arguments. Communication occurs over a Windows named pipe.
"The dual-mode design means the operator deploys ctrl.exe once on the victim (via the stager), then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session," Censys said. "The named pipe architecture keeps all C2 command traffic local to the victim machine — nothing traverses the network except the RDP session itself."
The supported commands allow the malware to gather system information, launch a module designed for credential harvesting, and start a keylogger as a background service (if configured as a server) to capture all keystrokes to a file named "C:\Temp\keylog.txt" by installing a keyboard hook, and exfiltrate the results.
The credential harvesting component is launched as a Windows Presentation Foundation (WPF) application that mimics a real Windows PIN verification prompt to capture the system PIN. The module, besides blocking attempts to escape the phishing window via keyboard shortcuts like Alt+Tab, Alt+F4, or F4, validates the entered PIN against the real Windows credential prompt via UI automation by using the SendKeys() method.
"If the PIN is rejected, the victim is looped back with an error message," Northern explained. "The window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger."
One of the commands built into the toolkit allows it to send toast notifications impersonating web browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to conduct additional credential theft or deliver other payloads. The two other payloads dropped as part of the attack are listed below -
- FRPWrapper.exe, which is a Go DLL that's loaded in memory to establish reverse tunnels for RDP and a raw TCP shell through the operator's FRP server.
- RDPWrapper.exe, which enables unlimited concurrent RDP sessions.
"The toolkit demonstrates deliberate operational security. None of the three hosted binaries contain hard-coded C2 addresses," Censys said. "All data exfiltration occurs through the FRP tunnel via RDP — the operator connects to the victim’s desktop and reads keylog data through the ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns."
"The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.