Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

2026-03-30

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Censys researchers uncovered CTRL, a Russian-origin remote access toolkit distributed via malicious LNK files disguised as private key folders.

•Written in .NET, CTRL includes modules for credential phishing, keylogging, RDP session hijacking, and reverse tunneling via Fast Reverse Proxy (FRP)
•Attack chain starts with a weaponized LNK file that launches a hidden PowerShell command, decodes a Base64 blob in memory, and deploys multi-stage payloads
•A Windows Hello phishing UI (WPF app) mimics a real PIN prompt, blocks escape shortcuts, and validates captured PINs against the actual Windows auth system
•FRPWrapper.exe establishes reverse tunnels for RDP and raw TCP; RDPWrapper.exe enables unlimited concurrent RDP sessions
•All C2 traffic stays local via a named pipe; exfiltration occurs only through FRP-tunneled RDP sessions, leaving minimal network forensic artifacts

Related Articles