CYBERSECURITY researchers have uncovered a remote access toolkit of Russian origin, dubbed CTRL, distributed via malicious Windows shortcut (LNK) files masquerading as private key folders. According to Censys security researcher Andrew Northern, CTRL is built with .NET and includes executables for credential phishing, keylogging, RDP hijacking and reverse tunnelling through FRP.
The Attack Surface Management platform said CTRL was recovered from an open directory at 146.19.213[.]155 in February 2026, with weaponised LNK files such as "Private Key #kfxm7p9q_yek.lnk" used to entice users into clicking. The infection chain decrypts or decompresses successive payloads, launches a hidden PowerShell command to wipe existing Windows Startup persistence, decodes a Base64 blob and runs it in memory, and tests TCP connectivity to hui228[.]ru:7000 to fetch further payloads.
The toolkit also modifies firewall rules, creates scheduled tasks, establishes backdoor local users, and opens a cmd[.]exe shell on port 5267 via the FRP tunnel; one downloaded payload, ctrl[.]exe, loads embedded components and communicates through a Windows named pipe. The CTRL credential harvesting component uses a WPF UI to mimic a Windows PIN prompt and logs captured PINs to C:\Temp\keylog[.]txt, while FRP wrappers and RDP wrappers support reverse tunnelling and remote access.