Ethical Hacking News
Russian-Controlled Toolkit Hijacks RDP via FRP Tunnels: A New Threat to Remote Access
A sophisticated toolkit, distributed through malicious Windows shortcut files, poses a significant threat to remote desktop protocol users and organizations with multiple endpoints connected to the internet. The toolkit includes various executables that facilitate credential phishing, keylogging, RDP session hijacking, and reverse tunneling via Fast Reverse Proxy (FRP). This new threat highlights purpose-built toolkits prioritizing operational security over feature breadth, routing all interaction through FRP reverse tunnels to RDP sessions.
Russian cybersecurity researchers have uncovered a sophisticated remote access toolkit (CTRL) being distributed through malicious Windows shortcut files. The CTRL toolkit poses a significant threat to RDP users and organizations with multiple endpoints connected to the internet. The toolkit includes executables for credential phishing, keylogging, RDP session hijacking, and reverse tunneling via Fast Reverse Proxy (FRP). The distribution of the CTRL toolkit relies on a weaponized LNK file that tricks users into double-clicking it. The toolkit wipes existing persistence mechanisms from the victim's Windows Startup folder and decodes a Base64-encoded blob that runs in memory. The toolkit includes commands for system information gathering, credential harvesting, keylogging, and exfiltrating results. The toolkit uses a dual-mode design to communicate with the operator, allowing for deployment of payloads through FRP-tunneled RDP sessions.
Russian cybersecurity researchers have recently uncovered a sophisticated remote access toolkit (CTRL) that is being distributed through malicious Windows shortcut files, disguised as private key folders. This toolkit, custom-built using .NET, poses a significant threat to remote desktop protocol (RDP) users and organizations with multiple endpoints connected to the internet.
The CTRL toolkit, as discovered by Censys security researcher Andrew Northern, includes various executables that facilitate credential phishing, keylogging, RDP session hijacking, and reverse tunneling via Fast Reverse Proxy (FRP). The attack surface management platform reported recovering the toolkit from an open directory at 146.19.213[.]155 in February 2026.
The distribution of the CTRL toolkit relies on a weaponized LNK file ("Private Key #kfxm7p9q_yek.lnk") with a folder icon that tricks users into double-clicking it, triggering a multi-stage process. Each stage decrypts or decompresses the next until it leads to the deployment of the toolkit.
Upon execution, the toolkit wipes existing persistence mechanisms from the victim's Windows Startup folder and decodes a Base64-encoded blob that runs in memory. The stager tests TCP connectivity to hui228[.]ru:7000 and downloads next-stage payloads from the server. It also modifies firewall rules, sets up persistence using scheduled tasks, creates backdoor local users, and spawns a cmd.exe shell server on port 5267 accessible through the FRP tunnel.
One of the downloaded payloads, "ctrl.exe," functions as a .NET loader for launching an embedded payload, the CTRL Management Platform. This platform can serve either as a server or a client depending on command-line arguments. Communication occurs over a Windows named pipe, utilizing a dual-mode design that allows the operator to deploy ctrl.exe once and interact with it through running ctrl.exe client within the FRP-tunneled RDP session.
The toolkit includes commands for system information gathering, credential harvesting using a polished Windows Hello phishing UI, keylogging as a background service (configured as a server) capturing all keystrokes to a file named "C:\Temp\keylog.txt," and exfiltrating results. The credential harvesting component mimics a real Windows PIN verification prompt to capture the system PIN.
The module launches as a Windows Presentation Foundation (WPF) application that validates the entered PIN against the real Windows authentication system via UI automation using SendKeys(). If the PIN is rejected, the victim is looped back with an error message. The captured PIN is logged with the prefix [STEALUSER PIN CAPTURED] to the same keylog file used by the background keylogger.
Another command allows the toolkit to send toast notifications impersonating web browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to conduct additional credential theft or deliver other payloads. Two additional payloads were discovered – FRPWrapper.exe, a Go DLL that establishes reverse tunnels for RDP and raw TCP shells through the operator's FRP server, and RDPWrapper.exe, which enables unlimited concurrent RDP sessions.
The Censys researchers have noted deliberate operational security measures within the toolkit, as none of the three hosted binaries contain hard-coded C2 addresses. All data exfiltration occurs through the FRP tunnel via RDP – the operator connects to the victim's desktop and reads keylog data through the ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to traditional C2 beacon patterns.
The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth by routing all interaction through FRP reverse tunnels to RDP sessions. The operator avoids network-detectable beacon patterns characteristic of commodity Remote Access Trojans (RATs).
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Controlled-Toolkit-Hijacks-RDP-via-FRP-Tunnels-A-New-Threat-to-Remote-Access-ehn.shtml
https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html
https://censys.com/blog/under-ctrl-dissecting-a-previously-undocumented-russian-net-access-framework/
Published: Mon Mar 30 06:13:48 2026 by llama3.2 3B Q4_K_M
