CTRL Malware Campaign Uses Fake Files to Trick Windows Users
Security researchers have uncovered a new remote access toolkit known as CTRL, believed to be linked to Russian threat actors. The malware is being spread through deceptive Windows shortcut files that appear to be harmless “private key” folders.
According to findings from Censys, the toolkit is built using .NET and is designed to carry out multiple malicious activities, including credential theft, keylogging, and remote system control.
How the Attack Starts
The infection begins with a malicious shortcut file (.LNK) disguised as a folder. When a user opens it, thinking it contains sensitive key files, it quietly launches a hidden PowerShell command.
This triggers a multi-stage attack process where each stage loads the next one in memory, making it harder to detect.
At the same time, the malware:
- Removes existing startup protections
- Executes encoded payloads directly in memory
- Connects to a remote server to fetch additional components
Stealth Techniques to Stay Undetected
The CTRL toolkit is designed to avoid leaving obvious traces. Instead of traditional command-and-control traffic, it uses a reverse tunneling method through a tool called Fast Reverse Proxy (FRP).
This allows attackers to control the infected system through Remote Desktop Protocol (RDP) without generating typical network signals that security tools rely on.
The malware also:
- Modifies firewall rules
- Creates hidden user accounts
- Sets up scheduled tasks for persistence
- Opens a remote command shell for attacker access
Advanced Credential Theft Using Fake Windows Prompts
One of the most dangerous features of CTRL is its ability to steal login credentials using a fake Windows authentication screen.
The malware launches a realistic PIN verification window that looks identical to the real system prompt. When the victim enters their PIN:
- The input is captured and stored
- The system checks it against the real Windows authentication process
- Even if correct, the fake prompt stays active to avoid suspicion
The malware also blocks common escape actions like Alt+Tab or closing the window, forcing the user to interact with it.
Keylogging and Data Collection
CTRL runs a background keylogger that records every keystroke on the system. This data is saved locally and later accessed by the attacker through the remote session.
The toolkit can also:
- Collect system information
- Monitor user activity
- Extract sensitive data from the machine
Abusing Browser Notifications for Further Attacks
Another built-in feature allows the malware to send fake notifications that appear to come from popular browsers such as Google Chrome or Microsoft Edge.
These notifications can be used to:
- Trick users into entering credentials
- Deliver additional malicious payloads
Remote Access Without Traditional Detection
Instead of using typical malware communication methods, CTRL relies on a more covert approach.
All attacker interaction happens through an RDP session tunneled via FRP. This means:
- No direct command-and-control traffic is visible
- Most activity appears as normal remote desktop usage
- Network-based detection becomes much harder
This design significantly reduces forensic evidence compared to traditional remote access trojans.
Why CTRL Malware Is Different
Unlike common malware kits that aim for wide distribution, CTRL appears to be built for targeted use. It focuses on stealth, control, and long-term access rather than large-scale attacks.
Its design shows a shift toward:
- Low-noise operations
- Minimal detectable activity
- Direct attacker interaction instead of automated communication
Final Takeaway
The CTRL toolkit highlights how modern attackers are evolving their methods. By combining social engineering, fileless execution, and stealthy remote access, they can maintain control over systems while staying under the radar.
Users should be cautious when opening unknown shortcut files, especially those disguised as folders or sensitive documents. For organizations, stronger monitoring of PowerShell activity, RDP usage, and unusual system changes is critical.