Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

Summary

Cybersecurity researchers discovered CTRL, a Russian-origin remote access toolkit delivered through weaponized Windows shortcut (LNK) files disguised as private key folders. The custom .NET malware facilitates credential phishing via Windows Hello spoofing, keylogging, RDP hijacking, and reverse tunneling through Fast Reverse Proxy (FRP), with all C2 traffic routed through RDP sessions to minimize network detection. The toolkit demonstrates advanced operational security by avoiding hard-coded C2 addresses and network beacons, making it difficult to detect via traditional forensic methods.

Full text

Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels Ravie LakshmananMar 30, 2026Malware / Network Security Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that's distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders. The CTRL toolkit, according to Censys, is custom-built using .NET and includes various executables" to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling via Fast Reverse Proxy (FRP). "The executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP," Censys security researcher Andrew Northern said. The attack surface management platform said it recovered CTRL from an open directory at 146.19.213[.]155 in February 2026. Attack chains distributing the toolkit rely on a weaponized LNK file ("Private Key #kfxm7p9q_yek.lnk") with a folder icon to trick users into double-clicking it. This triggers a multi-stage process, with each stage decrypting or decompressing the next, until it leads to the deployment of the toolkit. The LNK file dropper is designed to launch a hidden PowerShell command, which then wipes existing persistence mechanisms from the victim's Windows Startup folder. It also decodes a Base64-encoded blob and runs it in memory. The stager, for its part, tests TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads from the server. Furthermore, it modifies firewall rules, sets up persistence using scheduled tasks, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 that's accessible through the FRP tunnel. One of the downloaded payloads, "ctrl.exe," functions as a .NET loader for launching an embedded payload, the CTRL Management Platform, which can serve either as a server or a client depending on the command-line arguments. Communication occurs over a Windows named pipe. "The dual-mode design means the operator deploys ctrl.exe once on the victim (via the stager), then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session," Censys said. "The named pipe architecture keeps all C2 command traffic local to the victim machine — nothing traverses the network except the RDP session itself." The supported commands allow the malware to gather system information, launch a module designed for credential harvesting, and start a keylogger as a background service (if configured as a server) to capture all keystrokes to a file named "C:\Temp\keylog.txt" by installing a keyboard hook, and exfiltrate the results. The credential harvesting component is launched as a Windows Presentation Foundation (WPF) application that mimics a real Windows PIN verification prompt to capture the system PIN. The module, besides blocking attempts to escape the phishing window via keyboard shortcuts like Alt+Tab, Alt+F4, or F4, validates the entered PIN against the real Windows credential prompt via UI automation by using the SendKeys() method. "If the PIN is rejected, the victim is looped back with an error message," Northern explained. "The window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger." One of the commands built into the toolkit allows it to send toast notifications impersonating web browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to conduct additional credential theft or deliver other payloads. The two other payloads dropped as part of the attack are listed below - FRPWrapper.exe, which is a Go DLL that's loaded in memory to establish reverse tunnels for RDP and a raw TCP shell through the operator's FRP server. RDPWrapper.exe, which enables unlimited concurrent RDP sessions. "The toolkit demonstrates deliberate operational security. None of the three hosted binaries contain hard-coded C2 addresses," Censys said. "All data exfiltration occurs through the FRP tunnel via RDP — the operator connects to the victim’s desktop and reads keylog data through the ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns." "The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, Endpoint Protection, Malware, network security, Phishing, ransomware, Remote Access Trojan, Threat Intelligence, windows security Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• ip — 146.19.213.155
• domain — hui228.ru
• malware — CTRL
• malware — FRPWrapper.exe
• malware — RDPWrapper.exe
• malware — ctrl.exe