Back to News
Cyber Attack

Russian CTRL Toolkit Uses Malicious LNK Files to Hijack RDP via FRP

CyberSecurityWaala 2 months ago Mar 30, 2026
Russian CTRL Toolkit Uses Malicious LNK Files to Hijack RDP via FRP

Security researchers at Censys uncovered a new Russian-origin remote access toolkit called CTRL. It is delivered through a weaponized Windows shortcut file disguised as a private key folder. The delivery is simple. The technique is effective.

How the attack unfolds

Censys said the campaign used a file named “Private Key #kfxm7p9q_yek.lnk” with a folder icon to trick users into double-clicking. That action launches a hidden PowerShell command. The dropper then wipes existing persistence entries from the victim’s Windows Startup folder and decodes a Base64 blob that runs in memory.

Next, the stager tests TCP connectivity to hui228[.]ru on port 7000 and pulls additional payloads from that server. Censys reported these components modify firewall rules, create scheduled tasks for persistence, add backdoor local users, and spawn a cmd.exe shell server on port 5267. That shell is reachable only through a Fast Reverse Proxy tunnel, or FRP.

What CTRL contains

One of the main payloads is “ctrl.exe.” Censys described it as a .NET loader that launches an embedded CTRL Management Platform. The tool can run as either a server or a client, depending on command-line arguments. Communication between components takes place over a Windows named pipe.

“The dual-mode design means the operator deploys ctrl.exe once on the victim, then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session,” Censys said. “The named pipe architecture keeps all C2 command traffic local to the victim machine. Nothing traverses the network except the RDP session itself.”

Capabilities and techniques

The toolkit supports credential harvesting, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP. If configured as a server, CTRL can install a background keylogger that captures keystrokes to the file C:\Temp\keylog.txt by installing a keyboard hook. It can also gather system information and launch modules on demand.

Credential theft relies on a polished Windows Presentation Foundation application that mimics the official Windows PIN prompt. Censys explained the fake prompt blocks common escape shortcuts such as Alt+Tab and Alt+F4. The module even validates the entered PIN against the real Windows authentication prompt by using UI automation with SendKeys().

Andrew Northern, a Censys security researcher, said, “If the PIN is rejected, the victim is looped back with an error message. The window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger.”

CTRL also includes a feature to send toast notifications that impersonate common web browsers. Censys said the toolkit can mimic Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to phish additional credentials or push secondary payloads.

FRP tunnels and supporting components

Two additional payloads are central to the stealthy remote access setup. FRPWrapper.exe is a Go DLL that establishes reverse tunnels for RDP and a raw TCP shell through the operator’s FRP server. RDPWrapper.exe enables unlimited concurrent RDP sessions, which helps the operator interact with victims remotely.

Censys emphasized the operator prioritized operational security. “None of the three hosted binaries contain hard-coded C2 addresses,” the firm said. “All data exfiltration occurs through the FRP tunnel via RDP. The operator connects to the victim’s desktop and reads keylog data through the ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns.”

Finally, Censys noted the CTRL toolkit fits a growing trend. “The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth,” the company said. By routing interaction exclusively through FRP-tunneled RDP sessions, operators avoid the network-detectable beacon patterns that mark many commodity remote access trojans.

#CTRLToolkit #FRP #RDPHijack #Censys #WindowsSecurity #Malware