{"id":429,"date":"2026-03-30T11:05:55","date_gmt":"2026-03-30T11:05:55","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=429"},"modified":"2026-03-30T11:05:55","modified_gmt":"2026-03-30T11:05:55","slug":"russian-ctrl-toolkit-delivered-via-malicious-lnk-files-hijacks-rdp-via-frp-tunnels","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=429","title":{"rendered":"Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 30, 2026<\/span><\/span>Malware \/ Network Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that’s distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders.<\/p>\n

The CTRL<\/strong> toolkit, according to Censys, is custom-built using .NET and includes various executables\u00bb to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling via Fast Reverse Proxy (FRP).<\/p>\n

\u00abThe executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP,\u00bb Censys security researcher Andrew Northern said<\/a>.<\/p>\n

The attack surface management platform said it recovered CTRL from an open directory at 146.19.213[.]155 in February 2026. Attack chains distributing the toolkit rely on a weaponized LNK file (\u00abPrivate Key #kfxm7p9q_yek.lnk\u00bb) with a folder icon to trick users into double-clicking it.<\/p>\n

This triggers a multi-stage process, with each stage decrypting or decompressing the next, until it leads to the deployment of the toolkit. The LNK file dropper is designed to launch a hidden PowerShell command, which then wipes existing persistence mechanisms from the victim’s Windows Startup folder.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It also decodes a Base64-encoded blob and runs it in memory. The stager, for its part, tests TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads from the server. Furthermore, it modifies firewall rules, sets up persistence using scheduled tasks, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 that’s accessible through the FRP tunnel.<\/p>\n

<\/p>\n

One of the downloaded payloads, \u00abctrl.exe,\u00bb functions as a .NET loader for launching an embedded payload, the CTRL Management Platform, which can serve either as a server or a client depending on the command-line arguments. Communication occurs over a Windows named pipe.<\/p>\n

\u00abThe dual-mode design means the operator deploys ctrl.exe once on the victim (via the stager), then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session,\u00bb Censys said. \u00abThe named pipe architecture keeps all C2 command traffic local to the victim machine \u2014 nothing traverses the network except the RDP session itself.\u00bb<\/p>\n

The supported commands allow the malware to gather system information, launch a module designed for credential harvesting, and start a keylogger as a background service (if configured as a server) to capture all keystrokes to a file named \u00abC:\\Temp\\keylog.txt\u00bb by installing a keyboard hook, and exfiltrate the results.<\/p>\n

\"\"<\/a><\/div>\n

The credential harvesting component is launched as a Windows Presentation Foundation (WPF) application that mimics a real Windows PIN verification prompt to capture the system PIN. The module, besides blocking attempts to escape the phishing window via keyboard shortcuts like Alt+Tab, Alt+F4, or F4, validates the entered PIN against the real Windows credential prompt via UI automation by using the SendKeys()<\/a> method.<\/p>\n

\u00abIf the PIN is rejected, the victim is looped back with an error message,\u00bb Northern explained. \u00abThe window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

One of the commands built into the toolkit allows it to send toast notifications impersonating web browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to conduct additional credential theft or deliver other payloads. The two other payloads dropped as part of the attack are listed below –<\/p>\n