Cybersecurity experts have uncovered a sophisticated toolkit originating from Russia, which utilizes malicious Windows shortcut (LNK) files to compromise systems. These files, posing as private key folders, are part of a broader strategy to infiltrate and control targeted computers.
Mechanisms Behind the CTRL Toolkit
The CTRL toolkit, identified by researchers at Censys, is a bespoke creation developed using .NET technology. It encompasses various executable files designed for credential phishing, keylogging, and hijacking Remote Desktop Protocol (RDP) sessions, along with reverse tunneling through Fast Reverse Proxy (FRP). According to Censys security researcher Andrew Northern, the toolkit’s executables facilitate encrypted payload loading and credential harvesting via a deceptive Windows Hello interface.
Discovered on an open directory in February 2026, the toolkit’s distribution begins with a tampered LNK file named “Private Key #kfxm7p9q_yek.lnk,” which appears as a normal folder icon. This file initiates a complex sequence, ultimately deploying the malicious toolkit. The process starts with a hidden PowerShell command that eliminates existing persistence methods from the Windows Startup folder.
Technical Details and Attack Execution
The process includes decoding a Base64-encoded component, which executes in memory. The initial stage checks TCP connectivity to hui228[.]ru:7000 to download subsequent payloads. It also alters firewall configurations, establishes persistence through scheduled tasks, creates backdoor users, and initiates a command shell server accessible via FRP on port 5267.
One notable payload, “ctrl.exe,” acts as a .NET loader, launching additional embedded components. Depending on its command-line arguments, it functions as either a server or a client, with communication occurring through a Windows named pipe. This dual-mode operation allows attackers to interact with the victim’s system directly through an FRP-tunneled RDP session, while keeping command traffic confined to the local machine.
Implications and Future Outlook
The CTRL toolkit includes commands for gathering system information, activating a credential harvesting module, and initiating a keylogger to capture keystrokes. This information is stored in a file named “C:Tempkeylog.txt.” The credential harvesting tool mimics a Windows PIN verification prompt using Windows Presentation Foundation (WPF), making it difficult for users to detect the phishing attempt.
Furthermore, the toolkit can send fake browser notifications to steal additional credentials or deploy further payloads. Other components, such as FRPWrapper.exe and RDPWrapper.exe, facilitate reverse tunneling and enable multiple concurrent RDP sessions.
The design of the CTRL toolkit highlights a shift towards highly focused, single-operator tools that prioritize stealth and operational security. By utilizing FRP reverse tunnels, attackers can avoid the typical network signatures associated with standard remote access tools, making detection more challenging.
As cybersecurity threats continue to evolve, understanding and mitigating the risks associated with such sophisticated toolkits remain paramount for organizations worldwide.
