Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels

Cybersecurity in an era of growing geopolitical conflicts is becoming an arena for increasingly sophisticated espionage and sabotage activities. Researchers from the Censys team have identified a new campaign utilizing a tool named CTRL toolkit. This Remote Access Trojan (RAT) toolkit, with its roots in Russia, sheds new light on the methods used by groups linked to the local cybercrime sector, combining classic social engineering techniques with advanced network traffic tunneling.

A key element of the attack is the use of seemingly harmless Windows shortcut files, known as LNK. In this specific campaign, these files are cleverly masked as folders containing private keys, intended to lower the guard of system administrators and IT specialists who frequently handle this type of sensitive data. However, clicking such a shortcut does not open the expected directory, but instead triggers an infection chain aimed at gaining total control over the victim's workstation.

Threat Architecture Based on .NET

The CTRL toolkit is not generic malware purchased on the black market. Analysis conducted by experts indicates that it is a custom-built solution, created from scratch using the .NET framework. The choice of this technology allows attackers great flexibility in modifying code and facilitates integration with Windows operating systems, which are the primary target of the attack. The toolkit consists of a series of specialized executables, each performing a specific role in the attack lifecycle.

The package includes modules responsible for credential phishing and advanced keylogging features. The latter allow for the recording of every keystroke, opening the way to stealing passwords, logins, and the content of confidential correspondence before it is encrypted. However, what sets CTRL toolkit apart from the competition is the way it handles bypassing network security and maintaining a stable connection with the Command and Control (C2) infrastructure.

RDP Hijacking and FRP Tunnels

The most dangerous aspect of the new campaign is the capability for RDP hijacking, which involves taking over Remote Desktop Protocol sessions. Attackers use this technique to gain access to the victim's remote desktop, which in corporate environments often means access to servers and critical databases. To ensure constant connectivity even in the case of restrictive firewall rules, CTRL toolkit utilizes reverse tunneling based on the FRP (Fast Reverse Proxy) tool.

The use of FRP tunnels allows for the redirection of local traffic from the infected machine to an external server controlled by hackers, effectively bypassing Intrusion Detection Systems (IDS). Thanks to this mechanism, attackers can connect to RDP services inside the victim's network as if they were on the same local network. The list of key toolkit functionalities includes:

• State machines for managing multiple RDP sessions simultaneously.
• Automated scripts for deploying FRP tunnels without user interaction.
• Modules for stealing browser cookies and active application sessions.
• Persistence mechanisms, ensuring the malicious code restarts after a system reboot.

Evolution of Remote Access Towards ZTNA

The emergence of advanced tools like CTRL toolkit forces organizations to revise their existing security strategies. Traditional solutions based on VPN (Virtual Private Network) are no longer sufficient because once access to the internal network is obtained, attackers can engage in lateral movement freely. The answer to these threats is the Zero Trust Network Access (ZTNA) model, which assumes a total lack of trust in any user or device, regardless of its location in the network.

Implementing comprehensive ZTNA allows for the elimination of the lateral movement problem by directly connecting users to specific applications rather than the entire network infrastructure. In the context of attacks using RDP hijacking, the Zero Trust approach prevents an attacker from using a hijacked session to penetrate other company resources, as every access request must be separately verified and authorized based on context (identity, device health, location).

The use of malicious LNK files by Russian actors proves that the weakest link remains the human and their habits. Masking the threat as folders with private keys is a precisely targeted attack on individuals with high technical privileges. Organizations must not only invest in modern ZTNA class tools but also in advanced network traffic analytics capable of detecting anomalies typical of FRP tunneling and unauthorized attempts to establish reverse connections.

Defense strategy must evolve toward micro-segmentation and continuous identity verification. CTRL toolkit is merely an example of a broader trend where hacking tools are becoming increasingly modular and harder to detect by traditional antivirus systems. Only a radical change in access architecture, involving cutting off the possibility of free movement within the network, will allow for the effective neutralization of the effects of infections by such toolkits in the future.