Russian Hackers Using Remote Access Toolkit “CTRL” for  RDP Hijacking

A newly disclosed Russian-linked remote access toolkit called “CTRL” is being used to hijack Remote Desktop Protocol sessions and steal credentials from Windows systems.

According to Censys ARC, the malware is a custom .NET framework that combines phishing, keylogging, reverse tunneling, and persistence into one attack chain.

Censys ARC said the toolkit was discovered during open directory scanning after researchers found a malicious LNK file and three hosted .NET payloads tied to the domain hui228[.]ru.

According to Censys, the framework had not appeared on public malware repositories or major threat intelligence feeds at the time of analysis, suggesting it may be privately used rather than broadly distributed.

The researchers linked the operation to a Russian-speaking developer based on Russian-language strings, development artifacts, and supporting infrastructure details.

Censys ARC also observed that the toolkit was built for modern Windows systems, including recent releases, showing that the malware is under active development.

The attack starts with a weaponized shortcut file disguised as a folder named like a private key archive.

According to Censys, the LNK file launches hidden PowerShell code that decodes and runs a multi-stage loader entirely in memory.

Censys ARC found that the malware stores payloads inside Windows registry keys under Explorer-related paths. Hence, they blend in with normal system data.

The stager then creates scheduled tasks, adds firewall rules, downloads additional components, and prepares the system for long-term access.

The report also says the malware can bypass User Account Control using a registry hijack and a signed Microsoft binary. Once elevated, it installs the rest of the toolkit and maintains access across reboots.

RDP Hijacking and Credential Theft

One of the most dangerous parts of CTRL is its ability to enable hidden RDP access. According to the Censys ARC report, the malware patches termsrv.dll and installs RDP Wrapper so attackers can create concurrent remote desktop sessions without alerting the victim.

The toolkit also includes a fake Windows Hello PIN prompt. Censys researchers said the phishing window closely copies the real Windows interface, displays the victim’s actual account details, and validates stolen PINs against the real authentication process.

In addition, the malware runs a background keylogger and supports command execution via a named pipe named ctrlPipe.

According to Censys, this allows the operator to control the infected machine locally via the compromised RDP session rather than using a noisy traditional command-and-control channel.

To reduce network visibility, CTRL uses Fast Reverse Proxy (FRP) to establish reverse tunnels back to operator-controlled infrastructure.

Censys ARC reported that the malware used infrastructure tied to 194.33.61.36, 109.107.168.18, and the domain hui228[.]ru.

This design helps the attacker avoid classic beaconing patterns often seen in commodity remote access trojans.

According to Censys, the operator can move through tunneled RDP and shell access while leaving fewer obvious network traces.

Indicators of Compromise

The IP 194.33.61.36 is used for payload hosting and as an FRP relay server. The IP 109.107.168.18 acts as a secondary FRP relay on port 7000.

The domain hui228[.]ru is used for command-and-control via dynamic DNS.

A malicious registry entry is created at HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer, storing the payload as ShellStateVersion1.

The file C:Tempkeylog.txt is used to store captured keystrokes. The fileC:ProgramDatafrpfrpc.toml contains hidden FRP configuration and C2 tokens.

A named pipe calledctrlPipe is used for local command-and-control communication. Censys ARC recommends monitoring for unusual binary data written to Explorer registry keys, unexpected scheduled tasks, RDP Wrapper installation, and hidden administrator-level accounts.

Defenders should also watch for outbound FRP traffic and systems making suspicious connections to the listed infrastructure.