Russian Hackers Deploy “CTRL” for RDP Hijacking

Russian hackers are employing a new remote access toolkit named “CTRL” to stealthily hijack Remote Desktop Protocol (RDP) sessions through FRP-based reverse tunnels, enabling covert, hands-on access to compromised Windows systems.

The toolkit combines credential theft, keylogging, and RDP abuse into a unified post-exploitation framework currently evading detection by public malware scanners and threat intelligence feeds.

The infrastructure is hosted on Partner Hosting LTD’s network (ASN AS215826), a UK-registered provider established in February 2025, with servers located in Frankfurt, Germany.

At the time of analysis, the FRP relay was active on two IPs: 194.33.61.36 and 109.107.168.18, both running an FRP server (port 7000, fingerprinted by Censys as FRPS).

Censys ARC researchers discovered CTRL during scans for exposed directories and LNK files, tracing a malicious shortcut to an open payload-hosting folder on hui228.ru.

The server at 194.33.61.36 also exposes SSH and HTTP services. Its OpenSSH 9.6p1 remains vulnerable to CVE-2024-6387, CVE-2025-26465, and CVE-2025-26466, indicating poor patch management by the operators.

The investigation stemmed from Censys scanning for LNK files, where an LNK file hosted on a separate server referenced hui228.ru for payload downloads.

The open directory hosting the LNK loader (Source : Censys).
The open directory hosting the LNK loader (Source : Censys).

No binaries or infrastructure associated with CTRL appear in VirusTotal or public threat intelligence sources, suggesting a privately developed toolset used in limited operations.

Delivery and Execution Chain

CTRL is a custom .NET toolkit distributed via a weaponized Windows shortcut file disguised as a private key folder.

The LNK’s metadata timestamps are zeroed, and it carries the description “Polycue,” potentially a project codename.

LNK properties showing “Polycue” (Source : Censys).
LNK properties showing “Polycue” (Source : Censys).

The LNK file (“Private Key #kfxm7p9q_yek.lnk”) uses a folder icon and zeroed timestamps to evade casual inspection and timeline analysis. It embeds a multi-layered PowerShell loader as a large base64 blob.

Upon execution, PowerShell launches in a hidden window, decodes and decompresses an in-memory .NET stager stored under plausible Explorer registry keys (avoiding a standalone PE file on disk).

The stager escalates privileges via a fodhelper-based UAC bypass, checks connectivity to hui228.ru:7000, and downloads three .NET components for encrypted payload loading, FRP tunneling, and RDP enablement.

All payloads persist as registry binaries, reloaded via encoded PowerShell scheduled tasks for resilience across reboots.

Once established, CTRL transforms an infected host into a persistent RDP platform controlled solely over FRP tunnels, bypassing traditional C2 beacons.

The main `ctrl.exe` component decrypts and runs a “ctrl Management Platform” agent exposing a named pipe (`ctrlPipe`), offering commands to read keylogs, launch a sophisticated Windows Hello-style phishing window, shadow or takeover active RDP sessions, and trigger data exfiltration.

A companion FRP wrapper decrypts a Go-based FRP v0.65.0 DLL into memory, establishing reverse tunnels for RDP (port 3389) and a raw TCP shell on port 5267 back to hui228.ru. (Note: “Are you using an auth token of “ADAD.” is likely a placeholder or error in the original.)

Meanwhile, an RDP wrapper patches `termsrv.dll`, installs RDP Wrapper, adds Defender exclusions, and configures Windows for unlimited concurrent RDP sessions, enabling silent session shadowing or hijacking without consent prompts.

OPSEC and Detection Guidance

The toolkit exhibits strong operator OPSEC: no hardcoded C2 addresses exist in the binaries. The only reference to `hui228.ru` and its authentication token is written at runtime into `frpc.toml` on the victim.

.NET’s `Assembly.Load()` cannot load native DLLs, and the wrapper includes a complete user-mode memory-based manual PE mapper (`DLLFromMemory` class).

All operator interactions occur within RDP sessions carried by FRP tunnels. Keylog or credential data accessed locally via `ctrlPipe` minimizes distinctive network signatures.

Network-side defense recommendations include blocking or alerting on outbound connections to 194.33.61.36 and 109.107.168.18 over port 7000, monitoring for FRPS protocol fingerprints, and tracking the unique SSH host key fingerprint associated with 194.33.61.36 to detect potential infrastructure rotation within the same hosting provider.

High-value host indicators for defenders include binary data under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\` (ShellStateVersion1, IconSizeVersion1, IconUnderlineVersion1), scheduled tasks named `DriverSvcTask`, `NetTcpSvc`, `TermSvcHost`, and `WindowsHealthMonitor`, hidden local accounts with the password “ADAD”, the `ctrlPipe` named pipe, and the file `C:\Temp\keylog.txt`.

Related Articles

Back to top button