Cybersecurity researchers have uncovered a sophisticated Russian-origin remote access toolkit called CTRL, which is distributed through malicious Windows shortcut (LNK) files disguised as private key folders. The toolkit enables credential theft, keylogging, and RDP session hijacking, while using Fast Reverse Proxy (FRP) tunnels to maintain stealthy command and control (C2).
Multi-Stage Deployment
According to Censys Censys, the CTRL toolkit is written in .NET and delivered via a weaponized LNK file, e.g., Private Key #kfxm7p9q_yek.lnk, which tricks users into double-clicking. This triggers a multi-stage chain:
- Launches hidden PowerShell commands
- Clears existing persistence mechanisms in the Windows Startup folder
- Decodes Base64-encoded blobs and executes them in memory
- Tests TCP connectivity to hui228[.]ru:7000 and downloads subsequent payloads
The stager also modifies firewall rules, creates scheduled tasks, installs backdoor users, and spawns a cmd.exe shell on port 5267, accessible via the FRP tunnel.
CTRL Management Platform
The main payload, ctrl.exe, functions as a dual-mode loader:
- Acts as a server on the victim machine
- Interacts with an operator client through the FRP-tunneled RDP session
Communication occurs over a Windows named pipe, keeping C2 traffic local to the host and leaving minimal network forensic traces. Commands allow:
- System information collection
- Credential harvesting
- Keylogging to C:\Temp\keylog.txt via a keyboard hook
Credential Harvesting with WPF Phishing UI
CTRL includes a Windows Presentation Foundation (WPF) module that mimics a real Windows PIN verification prompt. It:
- Blocks Alt+Tab, Alt+F4, and F4 attempts to escape
- Validates entered PINs against the actual Windows system using SendKeys()
- Logs captured PINs with the prefix [STEALUSER PIN CAPTURED]
Additional Features
Other components of the toolkit include:
- FRPWrapper.exe – a Go-based DLL establishing reverse tunnels for RDP and raw TCP shells
- RDPWrapper.exe – enables unlimited concurrent RDP sessions
- Toast notifications impersonating popular browsers (Chrome, Edge, Brave, Opera, Vivaldi, Yandex, Iron) to collect credentials or deliver payloads
Censys noted, “None of the binaries contain hard-coded C2 addresses. All exfiltration occurs through the FRP-tunneled RDP session, minimizing network-detectable artifacts.”
The CTRL toolkit reflects a shift toward purpose-built, single-operator toolkits emphasizing operational security over feature breadth, using FRP tunnels to evade traditional detection mechanisms associated with commodity RATs.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
