RSS
← All articles
threat
2026-03-30

New Russian CTRL toolkit spreads via fake private key folders - hijacks RDP and steals credentials

Researchers at Censys discovered a previously undocumented Russian-origin toolkit called CTRL, distributed through Windows shortcut files disguised as private key folders. Once a victim double-clicks the LNK file, a multi-stage chain deploys credential harvesting through a fake Windows Hello PIN prompt, a keylogger, RDP session hijacking, and reverse proxy tunneling. All stolen data exits through the RDP tunnel, leaving minimal forensic traces compared to traditional command-and-control patterns.

russiactrl-toolkitlnkrdp-hijackingcredential-theft
Check
Warn staff about Windows shortcut files received via email or messaging, especially any labeled as private keys or credentials.
Affected
Any Windows system where a user opens the malicious LNK file. The toolkit targets .NET Framework 4.7.2 environments.
Fix
Block the domains hui228[.]ru and IPs 146.19.213.155, 194.33.61.36, 109.107.168.18. Train staff to never open shortcut files from untrusted sources. Monitor for unusual FRP tunnel traffic on port 7000.
Related Articles
threatNew Linux backdoor 'PamDOORa' silently steals SSH credentials from every user logging into a compromised server - and erases its tracks from the logs
threatTwo pro-Ukraine hacker groups appear to be teaming up to attack Russian companies - sharing servers and tools across phishing and espionage operations
threatHackers bought Google ads pointing to a fake GoDaddy WordPress login page - any site manager who clicked saw their credentials stolen