Russian Hackers Using Remote Access Toolkit “CTRL” for RDP Hijacking

Home Cyber Attack News Russian Hackers Using Remote Access Toolkit “CTRL” for  RDP Hijacking A newly disclosed Russian-linked remote access toolkit called “CTRL” is being used to hijack Remote Desktop Protocol sessions and steal credentials from Windows systems. According to Censys ARC, the malware is a custom .NET framework that combines phishing, keylogging, reverse tunneling, and persistence into one attack chain. Censys ARC said the toolkit was discovered during open directory scanning after researchers found a malicious LNK file and three hosted .NET payloads tied to the domain hui228[.]ru. According to Censys, the framework had not appeared on public malware repositories or major threat intelligence feeds at the time of analysis, suggesting it may be privately used rather than broadly distributed. Remote Access Toolkit “CTRL” The researchers linked the operation to a Russian-speaking developer based on Russian-language strings, development artifacts, and supporting infrastructure details. Censys ARC also observed that the toolkit was built for modern Windows systems, including recent releases, showing that the malware is under active development. The open directory hosting the LNK loader(source : censys ) The attack starts with a weaponized shortcut file disguised as a folder named like a private key archive. According to Censys, the LNK file launches hidden PowerShell code that decodes and runs a multi-stage loader entirely in memory. Censys ARC found that the malware stores payloads inside Windows registry keys under Explorer-related paths. Hence, they blend in with normal system data. The stager then creates scheduled tasks, adds firewall rules, downloads additional components, and prepares the system for long-term access. The report also says the malware can bypass User Account Control using a registry hijack and a signed Microsoft binary. Once elevated, it installs the rest of the toolkit and maintains access across reboots. RDP Hijacking and Credential Theft One of the most dangerous parts of CTRL is its ability to enable hidden RDP access. According to the Censys ARC report, the malware patches termsrv.dll and installs RDP Wrapper so attackers can create concurrent remote desktop sessions without alerting the victim. The toolkit also includes a fake Windows Hello PIN prompt. Censys researchers said the phishing window closely copies the real Windows interface, displays the victim’s actual account details, and validates stolen PINs against the real authentication process. LNK properties showing “Polycue”(source : censys ) In addition, the malware runs a background keylogger and supports command execution via a named pipe named ctrlPipe. According to Censys, this allows the operator to control the infected machine locally via the compromised RDP session rather than using a noisy traditional command-and-control channel. To reduce network visibility, CTRL uses Fast Reverse Proxy (FRP) to establish reverse tunnels back to operator-controlled infrastructure. Censys ARC reported that the malware used infrastructure tied to 194.33.61.36, 109.107.168.18, and the domain hui228[.]ru. This design helps the attacker avoid classic beaconing patterns often seen in commodity remote access trojans. According to Censys, the operator can move through tunneled RDP and shell access while leaving fewer obvious network traces. Indicators of Compromise The IP 194.33.61.36 is used for payload hosting and as an FRP relay server. The IP 109.107.168.18 acts as a secondary FRP relay on port 7000. The domain hui228[.]ru is used for command-and-control via dynamic DNS. Suspected password protected console on hui228[.]ru(source : censys ) A malicious registry entry is created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\, storing the payload as ShellStateVersion1. The file C:\Temp\keylog.txt is used to store captured keystrokes. The fileC:\ProgramData\frp\frpc.toml contains hidden FRP configuration and C2 tokens. A named pipe calledctrlPipe is used for local command-and-control communication. Censys ARC recommends monitoring for unusual binary data written to Explorer registry keys, unexpected scheduled tasks, RDP Wrapper installation, and hidden administrator-level accounts. Defenders should also watch for outbound FRP traffic and systems making suspicious connections to the listed infrastructure. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New Chrome Zero-Day Vulnerability Actively Exploited in Attacks — Patch Now Cyber Security HSBC India Asks Customers to use All-Uppercase Passwords Cyber Security News Hackers Use EtherRAT and EtherHiding to Hide Malware Infrastructure on Ethereum Top 10 12 Best AWS Monitoring Tools in 2026 March 30, 2026 10 Best Spam Filter Tools 2026 March 30, 2026 10 Best Log Monitoring Tools in 2026 March 30, 2026 10 Best Fraud Detection Tools in 2026 March 30, 2026 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026