Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label credential phishing malware. Show all posts
Windows shortcut exploit
credential phishing malware CTRL toolkit LNK malware attack malware Russian cyber threat Windows shortcut exploit

Russian-Origin CTRL Toolkit Exploits LNK Files to Deploy Stealthy Multi-Stage Cyber Attacks

 

Cybersecurity experts have uncovered a sophisticated remote access toolkit, believed to be of Russian origin, that is being spread through malicious Windows shortcut (LNK) files disguised as private key folders.

Identified as the CTRL toolkit by Censys, the malware is developed using .NET and consists of multiple executables designed to perform credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling using Fast Reverse Proxy (FRP).

"The executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP," Censys security researcher Andrew Northern said.

Researchers discovered the toolkit in February 2026 from an open directory hosted at 146.19.213[.]155. The infection process begins with a deceptive LNK file named “Private Key #kfxm7p9q_yek.lnk,” which appears as a folder icon to lure users into opening it.

Once executed, the file initiates a multi-stage attack chain where each step decrypts or unpacks the next payload. It silently runs a hidden PowerShell command that removes existing persistence mechanisms from the Windows Startup folder, decodes a Base64 payload, and executes it directly in memory.

The initial loader then checks connectivity with a remote server (hui228[.]ru:7000) before downloading additional components. It also alters firewall configurations, establishes persistence via scheduled tasks, creates unauthorized local user accounts, and launches a command shell server on port 5267, accessible through an FRP tunnel.

Among the deployed components is “ctrl.exe,” a .NET-based loader that runs the CTRL Management Platform. This platform can operate as either a server or client depending on how it is executed, with communication handled through a Windows named pipe.

"The dual-mode design means the operator deploys ctrl.exe once on the victim (via the stager), then interacts with it by running ctrl.exe client through the FRP-tunneled RDP session," Censys said. "The named pipe architecture keeps all C2 command traffic local to the victim machine — nothing traverses the network except the RDP session itself."

The toolkit enables attackers to collect system data, execute credential-harvesting modules, and activate a background keylogger that records keystrokes into a file located at “C:\Temp\keylog.txt.”

A notable feature is its phishing module, built using Windows Presentation Foundation (WPF), which convincingly imitates a Windows PIN verification prompt. It restricts users from exiting using common keyboard shortcuts and verifies entered PINs against the legitimate Windows authentication interface using UI automation.

"If the PIN is rejected, the victim is looped back with an error message," Northern explained. "The window remains open even if the PIN successfully validates against the actual Windows authentication system. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger."

Additionally, the malware can generate fake browser notifications mimicking popular applications such as Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to trick users into revealing more credentials or executing malicious payloads.

Two other components identified in the attack include FRPWrapper.exe, a Go-based DLL used to create reverse tunnels for RDP and TCP shell access, and RDPWrapper.exe, which allows unlimited simultaneous RDP sessions.

"The toolkit demonstrates deliberate operational security. None of the three hosted binaries contain hard-coded C2 addresses," Censys said. "All data exfiltration occurs through the FRP tunnel via RDP — the operator connects to the victim’s desktop and reads keylog data through the ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns."

"The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs."
Read more »
Subscribe to: Comments (Atom)