Cybersecurity researchers found a Russian-origin remote access toolkit called CTRL in February 2026 after it was recovered from an open directory, with attackers using malicious Windows shortcut files disguised as private key folders to deliver it, according to a technical analysis from Censys.
KEY FACTS
- Delivery method Weaponized LNK files used a folder icon to lure users into opening them.
- Capabilities The toolkit supports credential phishing, keylogging, RDP hijacking and reverse tunneling.
- Staging The infection chain uses multiple encrypted or compressed stages before deployment.
- Persistence The malware can create scheduled tasks, change firewall rules and add local backdoor users.
The report said the LNK file launched hidden PowerShell commands that cleared some existing persistence mechanisms from the Windows Startup folder before decoding a Base64 payload in memory. It then checked connectivity to hui228.ru:7000 and downloaded next-stage components.
One payload, ctrl.exe, acted as a .NET loader for the CTRL Management Platform. The platform could run as either a server or a client, and communication stayed inside a local Windows named pipe rather than over the network.
The disclosure said the toolkit also used a Windows Presentation Foundation phishing window that imitated a Windows PIN prompt. It blocked common exit keys, validated the entered PIN against the real authentication system through UI automation and logged captured input to C:\Temp\keylog.txt.
Other components included FRPWrapper.exe, which set up reverse tunnels for RDP and a raw TCP shell, and RDPWrapper.exe, which allowed unlimited concurrent RDP sessions. The report said the design left few network forensic artifacts because operator traffic was routed through FRP reverse tunnels and RDP sessions.
WHY IT MATTERS
The toolkit shows how attackers are combining phishing, persistence and remote access features in a single package while reducing network signals that defenders often use for detection. That can make intrusions harder to spot and investigate.