New Toolkit “CTRL” Exploits Remote Desktop Protocol for Cyber Attacks
Recent analyses have identified a sophisticated toolkit named “CTRL,” reportedly developed by Russian hackers, that enables unauthorized access to Windows systems via the Remote Desktop Protocol (RDP). This toolkit leverages FRP-based reverse tunnels to gain covert entry into compromised systems, thus facilitating stealthy, hands-on interactions with infected machines.
The CTRL toolkit merges several malicious techniques, including credential theft, keylogging, and RDP exploitation, into a streamlined framework that has thus far evaded detection by conventional malware scanners and threat intelligence feeds. This absence of visibility raises significant concerns regarding the potential implications for organizations that utilize Windows systems.
According to the available data, the domain hosting CTRL is linked to infrastructure in Partner Hosting LTD’s ASN (AS215826), a network based in the UK that was established in February 2025. The servers that support this operation are located in Frankfurt, Germany, which may add layers of complexity for cybersecurity efforts aimed at disrupting these malicious activities.
During the investigation, critical IP addresses associated with the exploitation were identified: 194.33.61[.]36 and 109.107.168[.]18. These addresses were observed utilizing port 7000 to run an FRP server, detected as such by Censys’ native fingerprinting methods. The extensive analysis conducted by Censys ARC researchers uncovered CTRL while scanning exposed directories and LNK artifacts. This led them on a trail back to a malicious LNK (shortcut) file stored in an open payload-hosting folder on the domain hui228[.]ru.
The server located at 194.33.61[.]36 is notable not only for its association with CTRL but also for exposing additional services such as SSH and HTTP. Alarmingly, vulnerabilities have been discovered within its OpenSSH 9.6p1 service, including CVE-2024-6387, CVE-2025-26465, and CVE-2025-26466, suggesting careless patch management practices on the operators’ part.
The roots of this investigation stemmed from Censys’s initiative to scan for LNK files, where they found a file linking to hui228[.]ru for the provisioning of malicious payloads. This hunt through public directories has revealed a strategy that relies heavily on social engineering and system exploitation to deliver the malicious toolkit.
Delivering and Executing CTRL
CTRL operates as a bespoke .NET toolkit, delivered through a malicious Windows shortcut file disguised as a private key folder. The LNK file, aptly dubbed “Private Key #kfxm7p9q_yek.lnk,” cleverly employs an innocuous folder icon and features zeroed timestamps to minimize scrutiny during inspections. This file includes a highly obfuscated PowerShell loader encoded as a large base64 string, allowing it to execute operations undetected.
Upon opening, the shortcut executes PowerShell in a concealed window, where it decodes and decompresses an in-memory .NET stager. This stager is tactically stored as a binary value within registry keys tied to the Windows Explorer, efficiently avoiding the generation of a standalone Portable Executable (PE) file on disk. Following this, the malware escalates system privileges by utilizing a UAC bypass technique linked to the fodhelper process.
Next, it performs connectivity checks to the specified domain, hui228[.]ru:7000, before downloading three essential .NET components. These components are tasked with loading encrypted payloads, establishing FRP tunneling, and enabling RDP, ensuring that the attackers maintain strong access to the compromised systems. Notably, these payloads are designed to persist through system reboots by storing them as registry binaries and reactivating them using encoded PowerShell scheduled tasks.
Once fully operational, CTRL transforms the infected host into a persistent platform for RDP exploitation, exclusively managed via FRP tunnels, diverging from traditional command and control (C2) server communication methods. The main component, ctrl.exe, decrypts and executes a “ctrl Management Platform” agent that exhibits a named pipe for various commands, including fetching keylogs, executing a Windows Hello-style phishing interface, and even shadowing or hijacking current RDP sessions.
Stealthy Operations and Detection Measures
CTRL’s architectural design reflects well-planned operational security protocols. Notably, there are no hardcoded C2 addresses embedded within the malware’s binaries, with connections to hui228[.]ru established only during runtime. The toolkit’s complexities extend to the fact that it utilizes .NET’s Assembly.Load() method to evade detection, as it includes a manual PE mapper operating solely within user-mode memory.
The interactions between operators and the malware occur within RDP sessions facilitated by FRP tunneling. Consequently, monitoring for distinctive network signatures becomes critical, particularly for organizations looking to fortify their defenses. They are urged to block or alert for outbound traffic towards the identified IP addresses and port. Enhanced vigilance is also recommended for detecting the unique SSH host key fingerprint associated with the IP 194.33.61[.]36, which may indicate potential infrastructure rotations.
Stakeholders in cybersecurity should remain alert for specific high-value indicators, including binary data recorded under the Windows registry and scheduled task labels such as DriverSvcTask, NetTcpSvc, and more. By being proactive about these potential indicators, organizations can improve their defenses against the understated but significant threat posed by the CTRL toolkit.