Cybersecurity researchers have identified a Russian-origin remote access toolkit named CTRL that spreads through malicious Windows shortcut files disguised as private key folders. This sophisticated .NET-based malware employs a multi-stage infection process to establish persistence, hijack desktop sessions, and harvest user credentials through deceptive phishing interfaces.
Researchers at Censys discovered the CTRL toolkit in early 2026 after locating it within an open directory. The infection begins when a user clicks a weaponized LNK file that uses a folder icon to appear legitimate. This action triggers a hidden PowerShell command that clears existing startup persistence and executes a stager in the system memory. The stager then connects to a remote server to download additional payloads while simultaneously modifying firewall rules and creating backdoor user accounts to ensure long-term access.
The toolkit is notable for its use of Fast Reverse Proxy and Remote Desktop Protocol hijacking to bypass traditional network defenses. By establishing a reverse tunnel, the attackers can gain direct control over the infected machine without triggering typical perimeter alarms. The primary loader facilitates the deployment of the CTRL Management Platform, which serves as the central hub for the attacker's activities on the compromised system.
A unique aspect of the malware is its dual-mode design, which allows the same executable to function as both a client and a server. This architecture uses Windows named pipes for internal communication, ensuring that command traffic remains local to the victim's machine. Because the instructions do not travel directly across the network, the activity is much harder for standard traffic monitoring tools to detect, as it appears as routine local process communication.
Once the platform is fully active, it provides the operator with an extensive suite of spying tools. This includes a credential harvester that mimics the Windows Hello interface to trick users into entering their passwords or biometric data. Additionally, the malware can launch a background keylogger that records every keystroke to a hidden text file. These stolen data points are then exfiltrated back to the attackers through the established proxy tunnel.
The discovery of CTRL highlights the evolving nature of remote access tools that prioritize stealth through legitimate system components. By combining social engineering with advanced tunneling techniques and local communication pipes, the creators of this toolkit have built a robust framework for long-term espionage. Security professionals are advised to monitor for unusual LNK file behavior and unauthorized modifications to Windows firewall rules or scheduled tasks.
Source: https://censys.com/blog/under-ctrl-dissecting-a-previously-undocumented-russian-net-access-framework/