A newly discovered remote access toolkit of Russian origin, known as CTRL, has been found to be distributed through malicious Windows shortcut (LNK) files disguised as private key folders.
Developed using .NET, the CTRL toolkit includes various executables aimed at enabling credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling through Fast Reverse Proxy (FRP).
According to Censys, a security researcher named Andrew Northern stated that “The executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP.”
The CTRL toolkit was recovered from an open directory in February 2026, with attack chains using a weaponized LNK file named “Private Key #kfxm7p9q_yek.lnk” to deceive users into clicking on it.
This triggers a multi-stage process where each stage decrypts or decompresses the next, ultimately leading to the deployment of the toolkit. The LNK file dropper executes a hidden PowerShell command that removes existing persistence mechanisms from the victim’s Windows Startup folder and runs a Base64-encoded blob in memory.
One of the downloaded payloads, “ctrl.exe,” acts as a .NET loader for launching the embedded CTRL Management Platform, which can act as either a server or a client. Communication is done through a Windows named pipe.
The toolkit includes commands to gather system information, launch a credential harvesting module, and start a keylogger to capture keystrokes to a file named “C:Tempkeylog.txt” by installing a keyboard hook and exfiltrating the results.
Additionally, a credential harvesting component mimics a real Windows PIN verification prompt, capturing the system PIN and blocking attempts to escape the phishing window. The captured PIN is logged in the keylog file.
The toolkit can also send toast notifications impersonating various web browsers to conduct credential theft or deliver other payloads. Two other payloads dropped during the attack are FRPWrapper.exe and RDPWrapper.exe, which establish reverse tunnels and enable unlimited RDP sessions, respectively.
Censys highlighted that the CTRL toolkit prioritizes operational security by routing all interaction through FRP reverse tunnels to RDP sessions, minimizing network forensic artifacts compared to traditional C2 beacon patterns.
In conclusion, the CTRL toolkit exemplifies a shift towards purpose-built, single-operator toolkits that prioritize operational security. By avoiding network-detectable beacon patterns, the operator can maintain a discreet and secure operation.
