CTRL, a newly identified remote access toolkit of suspected Russian origin, is being delivered through malicious Windows shortcut (LNK) files disguised as legitimate folders. This technique enables attackers to gain covert and persistent access to targeted systems through a multi-stage infection chain that relies heavily on PowerShell and in-memory execution.
The toolkit delivers a . NET-based framework capable of credential harvesting through a spoofed Windows Hello interface, continuous keylogging, and Remote Desktop Protocol hijacking. A notable characteristic of the malware is its use of Fast Reverse Proxy tunnels to route attacker activity through RDP sessions, significantly reducing observable command-and-control traffic. The CTRL toolkit reflects a shift toward targeted, single-operator malware designed for operational stealth and minimal forensic visibility.
The infection process begins with a weaponized LNK file that executes a hidden PowerShell command, initiating a multi-stage payload delivery chain that operates entirely in memory. The initial stager decodes Base64-encoded components, establishes persistence, and prepares the system for subsequent payload execution.
The malware verifies connectivity to a remote server to retrieve additional components, modifies firewall rules, creates scheduled tasks, and establishes backdoor local accounts. At the same time, it enables remote command execution through a reverse tunneling mechanism.
Core components include a . NET-based loader known as ctrl.exe, which operates in both client and server modes and uses Windows named pipes for local communication and command execution. Additional modules support credential harvesting through a spoofed Windows Hello interface, continuous keylogging via keyboard hooks, and system reconnaissance. Remote access is maintained through Fast Reverse Proxy tunnelling, which redirects RDP sessions and raw TCP traffic, allowing attackers to interact with compromised systems and exfiltrate data while avoiding traditional command-and-control detection. The details and technicalities of the attack campaign are discussed further,
The CTRL toolkit is delivered through a malicious Windows shortcut file designed to appear as a legitimate folder. The use of familiar folder icons and convincing naming conventions increases the likelihood of user interaction.
When executed, the LNK file silently triggers a hidden PowerShell command, initiating the attack without visible indicators to the user. This delivery method relies heavily on social engineering and is effective in phishing campaigns and targeted intrusion scenarios.
The Infection chain was identified as follows,
The CTRL toolkit is modular. NET-based framework designed to provide extensive control over compromised systems while minimizing detection. It includes credential harvesting capabilities through a spoofed Windows Hello PIN interface implemented using Windows Presentation Foundation, allowing attackers to capture user credentials through deceptive prompts.
The malware also performs continuous keylogging using keyboard hooks, storing captured keystrokes locally for later retrieval. Additional capabilities include system reconnaissance, command execution, and the ability to generate deceptive browser notifications to support phishing or further payload delivery.
The remote access mechanism combines RDP hijacking with Fast Reverse Proxy tunneling, enabling attackers to interact with compromised systems through legitimate RDP sessions while avoiding conventional command-and-control indicators. Persistence is maintained through scheduled tasks, firewall rule modifications, and the creation of backdoor user accounts. By executing most operations locally and routing activity through encrypted tunnels, the toolkit significantly reduces forensic visibility and enhances operational security.
The toolkit is assessed to be of Russian origin based on observed infrastructure patterns and development characteristics. It reflects a growing trend toward custom-built, operator-focused malware frameworks rather than widely distributed commodity remote access tools.
The design prioritizes operational security, with no reliance on fixed command-and-control infrastructure and a preference for local communication channels. This indicates a shift toward more targeted and stealth-focused intrusion methodologies, likely deployed in controlled campaigns rather than large-scale attacks.
The toolkit was identified on exposed infrastructure and is believed to be used in active but controlled campaigns targeting specific organizations or individuals. While clear geographic targeting has not been definitively established, the use of generic social engineering lures suggests adaptability across regions and industries.
The flexible design of the toolkit and its infrastructure indicates the potential for global deployment, with attackers capable of shifting targets based on operational objectives.
The CTRL toolkit represents a broader trend in cyber operations toward stealth-driven, targeted intrusion frameworks that prioritize persistence and minimal detection. By combining social engineering, in-memory execution, and covert communication techniques, attackers can bypass traditional defenses and maintain long-term access within compromised environments.
Organizations must strengthen detection capabilities by focusing on PowerShell monitoring, in-memory execution analysis, and behavioral anomaly detection to effectively counter such threats.
The CTRL toolkit enables comprehensive system compromise by combining credential harvesting, keylogging, and RDP hijacking to establish persistent and covert access. Its use of reverse proxy tunneling and local communication mechanisms significantly reduces detectable network activity, allowing attackers to evade traditional security controls.
This level of access can lead to unauthorized data access, lateral movement across networks, and broader infrastructure compromise, posing serious risks to organizational security and operational continuity.
