Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
Summary
Researchers have identified a Russian-origin remote access toolkit called CTRL that is distributed through malicious LNK files disguised as private key folders. This toolkit, built with .NET, enables credential phishing, keylogging, RDP hijacking, and reverse tunneling.
IFF Assessment
FOE
The discovery of a new sophisticated remote access toolkit designed for credential theft and hijacking critical services poses a significant threat to defenders.
Defender Context
Defenders should be vigilant about malicious LNK files and educate users to be cautious of unexpected shortcut files, especially those masquerading as sensitive data folders. Monitoring for unusual RDP activity and the exfiltration of credentials should be prioritized.