New “CTRL” RAT Linked to Russian Hackers Enables RDP Hijacking Attacks

Censys Attack Research Center (ARC) has uncovered a previously undocumented, Russian-origin remote access toolkit dubbed “CTRL”, a sophisticated post-exploitation framework that combines credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and Fast Reverse Proxy (FRP)-based tunneling into a single, cohesive package.

Delivered entirely through one weaponized LNK file, CTRL represents a new class of privately developed, single-operator tooling that has so far evaded all public threat intelligence platforms, including VirusTotal and Hybrid Analysis.

Discovery and Attribution

The toolkit was first identified through Censys’ open directory scanning in February 2026, when researchers discovered an exposed payload hosting directory at hui228[.]ru:82/hosted/ containing three .NET executables.

Russian attribution is supported by multiple technical indicators: Russian-language error strings embedded in the FRP wrapper component (e.g., “Не найдена функция GoMain”), a .ru command-and-control (C2) domain, PDB paths pointing to C:UsersAdminreposrepos, and copyright dates aligned with 2025 development timelines.

The C2 relay infrastructure was observed across two IPs  194.33.61[.]36 (active January–February 2026) and 109.107.168[.]18 (DNS-switched on February 27, 2026).

Both hosted within Partner Hosting LTD’s Frankfurt infrastructure on ASN215826, a UK-registered autonomous system provisioned as recently as February 2025.​

CTRL’s delivery mechanism is a socially engineered LNK file named Private Key #kfxm7p9q_yek.lnk, which disguises itself with a Windows folder icon (SHELL32.dll icon index 3) to trick victims into double-clicking.

The file embeds a 30,000-character base64-encoded PowerShell payload within its command-line arguments, making it entirely self-contained; no external download is required for initial execution.

Upon execution, the attack progresses through six stages.

The PowerShell loader wipes existing startup persistence, decompresses, and writes a .NET stager assembly directly into a Windows registry key disguised as legitimate Explorer settings (ShellStateVersion1), and loads it entirely in-memory via reflection, never touching disk as a standalone file.

If the stager detects medium integrity, it triggers a UAC bypass via fodhelper.exe registry hijacking using the ms-settings handler and a signed Microsoft LOLBin (wlrmdr.exe) to avoid EDR detection.

CTRL demonstrates deliberate operational security. None of the three hosted binaries contains hardcoded C2 addresses; the FRP server address and auth token exist only in C:ProgramDatafrpfrpc.toml, written at runtime by the in-memory stager.

All PE timestamps are falsified to dates between 2044 and 2103 to frustrate forensic timeline analysis.

The dual-mode ctrl.exe architecture routes all operator interaction through the FRP-tunneled RDP session via a Windows named pipe (ctrlPipe), leaving no network-detectable beacon traffic that characterizes commodity RATs.

The SSH server hosting the C2 infrastructure (194.33.61[.]36) was also found unpatched against CVE-2024-6387 (RegreSSHion), CVE-2025-26465, and CVE-2025-26466, indicating no post-provisioning maintenance.​

Host-Based Detections:

• Alert on binary data written to Explorer registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer using the value names ShellStateVersion1, IconSizeVersion1, or IconUnderlineVersion1.​
• Monitor for scheduled task creation with names DriverSvcTask, NetTcpSvc, TermSvcHost, or WindowsHealthMonitor.
• Flag creation of local accounts named Administrator, Admin, or Windows added to Remote Desktop Users with the corresponding SpecialAccountsUserList registry entries hiding them from the login screen.
• Watch for termsrv.dll modifications, RDP Wrapper installation under C:Program FilesRDP Wrapper, and Defender exclusion additions via Add-MpPreference.

Network-Based Detections:

• Block or alert on outbound connections to 194.33.61[.]36 and 109.107.168[.]18 on port 7000.
• Monitor for FRP protocol traffic (Censys FRPS fingerprint) originating from endpoints that should not be running reverse proxies.
• Flag the self-signed TLS certificate fingerprint 5d009f6f46979fbc170ede90fca15f945d6dae5286221cca77fa26223a5fe931 at port 908 as a network-level indicator.

Censys Platform Actions:

• Query host.ip: 194.33.61[.]36 or host.ip: 109.107.168[.]18 and add the SSH host key fingerprint (6106ea733ed6263f18d8bb63c5696f2ae6c1383cab887a02f18f1af38107f9d4) to watchlists to detect infrastructure rotation.​
• Monitor host.services.protocol: FRPS within the PARTNER-HOSTING-LTD ASN for additional relay nodes.

The CTRL toolkit underscores a growing trend toward privately circulated, purpose-built tooling that sidesteps signature-based detection entirely.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post New “CTRL” RAT Linked to Russian Hackers Enables RDP Hijacking Attacks appeared first on Cyber Security News.