cybersecurity researchers have identified a new remote access toolkit of Russian origin being distributed through malicious Windows shortcut files. The malware, known as CTRL, is disguised as folders containing private keys and is designed to steal credentials, log keystrokes, hijack Remote Desktop Protocol sessions, and create reverse tunnels for persistent access.

The discovery was detailed by the threat intelligence firm Censys. According to their analysis, the CTRL toolkit is a custom-built piece of software developed using the .NET framework. Its primary distribution method involves LNK files, which are shortcuts commonly used in the Windows operating system.

Infection Vector and Deception Tactics

The attack begins when a user receives and opens a malicious LNK file. This file is crafted to appear as a legitimate folder, often named to suggest it contains important cryptographic private keys. This social engineering tactic aims to trick IT professionals, system administrators, or cryptocurrency users into executing the file.

Once activated, the LNK file triggers a multi-stage infection process. It deploys the CTRL malware onto the victim’s computer. The toolkit is equipped with a suite of malicious executables that work in concert to compromise the system.

Capabilities of the CTRL Toolkit

The toolkit’s functionality is comprehensive and poses a significant threat to organizational security. Its key capabilities include credential phishing, where it attempts to harvest usernames and passwords from the infected machine and browsers.

A separate module acts as a keylogger, silently recording every keystroke made by the user. This allows the attackers to capture sensitive information such as login credentials, personal messages, and financial data.

One of the most critical features is its ability to hijack Remote Desktop Protocol connections. RDP is a standard protocol used for remotely accessing and managing Windows computers and servers. By hijacking RDP, attackers can gain direct, graphical control over the compromised system as if they were physically present.

Establishing Persistent Access via Tunnels

To maintain long-term access even if initial entry points are closed, the CTRL malware establishes reverse tunnels using tools like FRP, a fast reverse proxy. This technique bypasses common network defenses like firewalls by having the infected computer initiate an outgoing connection to a server controlled by the attackers.

This tunnel then serves as a covert channel for sending stolen data out and for allowing the attackers to send commands back into the victim’s network. This method provides a persistent backdoor that is difficult to detect and block with traditional perimeter security.

Attribution and Technical Analysis

Censys has attributed the toolkit to Russian-speaking threat actors based on technical indicators and code artifacts. The use of .NET makes the malware compatible with a wide range of Windows systems and allows for easier obfuscation to avoid detection by antivirus software.

The strategic choice of disguising the lure as a private key folder suggests the attackers may be targeting individuals or organizations involved in system administration, network security, or digital asset management. The campaign demonstrates a high level of planning and understanding of the target’s potential interests.

Security Implications and Recommendations

This campaign highlights the ongoing evolution of phishing tactics beyond simple email attachments. The use of LNK files requires user interaction but can be highly effective due to its deceptive appearance. Security teams are advised to treat unsolicited LNK files with extreme caution, regardless of their apparent source or content.

Organizations should enforce policies that restrict the execution of files from untrusted sources. Network monitoring for unusual outbound connections, especially to unknown servers on non-standard ports, can help identify the reverse tunneling activity associated with this and similar malware.

Regular security awareness training for employees remains a crucial defense layer. Users should be educated to verify the authenticity of any file before opening it, even if it appears to come from a known contact or relates to their work.

Based on the current analysis, cybersecurity experts anticipate that the threat actors behind the CTRL toolkit will continue to refine their delivery methods and malware features. Further investigations by security firms are expected to uncover additional command and control servers and potentially link this campaign to other known threat groups. Organizations worldwide are recommended to review their endpoint detection rules and update threat intelligence feeds to include indicators of compromise associated with this activity.

Source: Censys