Cybersecurity experts have uncovered a sophisticated remote access toolkit, known as the CTRL toolkit, originating from Russia. This malicious software is disseminated via deceptive Windows shortcut (LNK) files that masquerade as private key folders, leading unsuspecting users to unwittingly execute the payload.
According to Censys, a well-regarded attack surface management platform, the CTRL toolkit is uniquely developed using the .NET framework. It encompasses various executables designed to facilitate a range of malicious activities, including credential phishing, keylogging, hijacking Remote Desktop Protocol (RDP) sessions, and establishing reverse tunneling through a method known as Fast Reverse Proxy (FRP). Censys security researcher Andrew Northern explained that “the executables provide encrypted payload loading, credential harvesting through a polished Windows Hello phishing interface, keylogging capabilities, RDP session hijacking, and reverse proxy tunneling utilizing FRP.”
The CTRL toolkit was initially discovered by Censys in February 2026 from an open directory located at the IP address 146.19.213[.]155. Exploitation of this toolkit typically starts with a specifically crafted weaponized LNK file, titled “Private Key #kfxm7p9q_yek.lnk.” This file is designed with a folder icon to convincingly deceive users into double-clicking it, thus initiating a complex multi-stage attack. Each stage is responsible for decrypting or decompressing the subsequent stage, ultimately leading to the deployment of the malicious toolkit.
The LNK file functions as a dropper, triggering a hidden PowerShell command that wipes any existing persistence mechanisms from the victim’s Windows Startup folder. Additionally, it decodes a Base64-encoded blob and executes it directly in the system memory. The initial handler, known as the "stager," tests connectivity to a remote server at hui228[.]ru:7000 and subsequently downloads further payloads. Notably, it modifies firewall rules, establishes persistence through scheduled tasks, creates backdoor user accounts, and launches a cmd.exe shell server on port 5267, accessible through the established FRP tunnel.
One significant component of this malware is “ctrl.exe,” which serves as a .NET loader that launches an embedded payload termed the CTRL Management Platform. Depending on the command-line arguments it receives, this platform can function either as a server or a client. Communications between the operator and the infected system are maintained over a Windows named pipe, which is a means of inter-process communication.
Censys elaborated on the functionality of the dual-mode design, stating that it allows operators to deploy the ctrl.exe application once on the target machine (via the stager) and subsequently interact with it by executing ctrl.exe in client mode through the FRP-tunneled RDP session. This architecture cleverly confines all command and control (C2) traffic to the local machine, ensuring that very little visible network activity occurs beyond the RDP session itself.
The commands provided by the malware enable it to gather extensive system information, launch modules dedicated to credential harvesting, and activate a keylogger that captures all keystrokes through a keyboard hook. This keystroke logging feature transfers the collected data to a file labeled “C:Tempkeylog.txt,” allowing for easy exfiltration of sensitive information.
Keylogging is executed through a Windows Presentation Foundation (WPF) interface that mimics a legitimate Windows PIN verification prompt. This design is particularly clever, as it prevents users from escaping the phishing window through familiar keyboard shortcuts like Alt+Tab or Alt+F4. It also validates the entered PIN against the actual Windows credential prompt using automated UI techniques. If a user enters an invalid PIN, they are presented with an error message, while successfully validated PINs are logged in a keylog file with the prefix [STEALUSER PIN CAPTURED].
Moreover, the toolkit also incorporates capabilities for sending toast notifications that impersonate various web browsers, including popular options like Google Chrome, Microsoft Edge, and Brave, further facilitating additional credential theft or the delivery of further malicious payloads.
Among the payloads executed as part of this attack are:
- FRPWrapper.exe: A Go DLL that is loaded in memory, enabling reverse tunnels for RDP and a raw TCP shell through the operator’s FRP server.
- RDPWrapper.exe: This allows for unlimited concurrent RDP sessions.
Censys emphasized that the CTRL toolkit showcases a high level of operational security among its functionalities. None of the binaries associated with it contain hard-coded C2 addresses, which minimizes the possibility of detection. All data exfiltration activities occur through the FRP tunnel using RDP, enabling operators to access the victim’s desktop directly and retrieve keylogging data through the ctrl named pipe. This strategy significantly reduces the network traces typically left by conventional command and control beaconing patterns.
In summary, the emergence of the CTRL toolkit highlights a continued trend towards specialized, single-operator malicious tools prioritizing operational security over a broad feature set. By routing all interactions through FRP reverse tunnels to RDP sessions, operators effectively avoid detection by network defense systems, making this toolkit a formidable threat in the landscape of cybersecurity.