Russian CTRL Toolkit: How Malicious LNK Files Enable RDP Hijacking via Reverse Tunnels
Executive Summary
Cybersecurity researchers at Censys have uncovered a custom-built .NET remote access toolkit called CTRL that is being distributed through weaponized Windows shortcut (LNK) files disguised as private key folders. Once executed, the toolkit establishes persistence on the victim host and deploys modules for credential phishing, keylogging, RDP session hijacking, and reverse tunneling via Fast Reverse Proxy (FRP). Separately, Trend Micro’s Zero Day Initiative (ZDI) has documented the widespread abuse of a Windows LNK handling flaw (tracked as ZDI-CAN-25373) by multiple state-sponsored groups—including Russian, Chinese, North Korean, and Iranian APTs—with nearly 1,000 malicious LNK samples identified in the wild. Microsoft has classified the underlying flaw as low severity and has not released a patch. Security teams should prioritize detection of anomalous LNK behavior, restrict outbound RDP, and monitor for reverse tunnel indicators.
Technical Analysis
The LNK Handling Flaw (ZDI-CAN-25373)
The foundation of this attack is a logic flaw in how Windows processes shortcut files. LNK files contain a binary structure specifying a target path, command-line arguments, icon, and metadata. The vulnerability lies in the CommandLineArguments field: Windows silently passes these arguments to the target executable without displaying them to the user, even when inspecting the file’s properties through Explorer.
As Cybernews reported, quoting ZDI researchers: “The flaw lies in the way Windows handles .lnk files – hazardous content in the file is invisible to users even if they have suspicions and inspect the file via the Windows-provided user interface.”
This means a user opening what appears to be an innocent folder shortcut is actually executing arbitrary commands with their privileges. The ZDI team identified malicious LNK files reaching up to 55 MB in size—far larger than typical shortcuts and often containing embedded payloads.
Key statistics from ZDI’s investigation:
- Nearly 1,000 malicious LNK files identified
- 70% focused on espionage and information theft
- 20%+ directed toward financial gain
- 343 samples submitted from the United States; 39 from Canada
- Exploited by state-sponsored groups from Russia, China, North Korea, and Iran
Microsoft has publicly stated this is a logic flaw (not a buffer overflow or memory corruption issue), classified it as low severity, and declined to issue a security patch at the time of writing.
The CTRL Toolkit
The CTRL toolkit, documented by Censys, is a custom .NET remote access framework distributed via these weaponized LNK files. Its modular architecture includes:
| Module | Capability |
|---|---|
| Credential Phishing | Displays fake login prompts that mimic legitimate Windows authentication dialogs to harvest usernames and passwords |
| Keylogger | Captures all keystrokes including passwords, sensitive data entry, and MFA codes typed by the user |
| RDP Hijacker | Takes over active RDP sessions or forces new sessions, potentially bypassing MFA if the victim is already authenticated |
| FRP Reverse Tunnel | Establishes a Fast Reverse Proxy tunnel to an attacker-controlled server, bypassing outbound firewall rules and NAT |
Attack Chain
The operational flow from initial delivery to full compromise proceeds as follows:
Stage 1 — Delivery: The victim receives a malicious LNK file, typically via spear-phishing email. The file is disguised as a private key folder, using a folder icon with a shortcut overlay arrow to appear legitimate.
Stage 2 — Execution: When the user double-clicks the shortcut, Windows resolves the LNK target and silently passes the hidden command-line arguments to the target executable. The user sees no command prompt, no UAC dialog—the payload executes transparently.
Stage 3 — CTRL Deployment: The hidden arguments launch the bundled ctrl.exe binary (.NET), which installs itself with persistence via a scheduled task or registry run key.
Stage 4 — Reverse Tunnel Establishment: CTRL opens an FRP (Fast Reverse Proxy) tunnel to the attacker’s C2 infrastructure. This outbound connection bypasses perimeter firewalls because it initiates from inside the network on common ports.
Stage 5 — RDP Hijacking: Through the reverse tunnel, the attacker connects back to the victim’s machine via RDP. If the user has an active RDP session, the attacker can hijack it directly; otherwise, a new session is initiated using phished or keylogged credentials.
Stage 6 — Objectives: With full interactive desktop access, the attacker conducts credential harvesting, lateral movement, data exfiltration, and potentially deploys additional tooling.
Impact Assessment
Who Is at Risk
The LNK handling flaw affects all current Windows desktop editions that support shortcut files. There is no version-specific boundary—any Windows user who opens a malicious LNK file is vulnerable. The lack of a Microsoft patch means the attack surface remains open indefinitely.
Organizations most at risk include:
- Government agencies and defense contractors (70% of samples target espionage)
- Financial institutions (20%+ of samples target financial gain)
- Critical infrastructure operators with Windows-based control stations
- Any organization where users routinely receive files via email
Operational Impact
- Credential compromise enables lateral movement across the domain
- RDP hijacking provides the attacker with full interactive access, making it difficult to distinguish malicious activity from legitimate administration
- Reverse tunnels survive network changes, firewall updates, and VPN disconnections—providing persistent access even after initial detection indicators are remediated
- No patch available means traditional vulnerability management processes cannot address the root cause
Detection & Response
Detection Indicators
| Method | What to Look For |
|---|---|
| Process creation monitoring | Event ID 4688: Watch for processes spawned by explorer.exe with unusually long or obfuscated command-line arguments |
| LNK file analysis | New .lnk files in user directories with file sizes exceeding 1 MB (legitimate shortcuts are typically under 10 KB) |
| Outbound connection monitoring | New persistent outbound connections on high ports to unfamiliar external IPs, especially from non-browser processes |
| RDP session monitoring | Event ID 4624 (Type 10 — RemoteInteractive): RDP logons from unexpected source IPs, particularly localhost or tunnel endpoints |
| Scheduled task creation | Event ID 4698: New scheduled tasks created by unknown executables |
| .NET process execution | Execution of unsigned .NET binaries from user-writable directories (Downloads, Temp, AppData) |
Incident Response Steps
- Isolate the affected host from the network immediately to sever the reverse tunnel.
- Identify the malicious LNK file and the CTRL binary—check
%TEMP%,%APPDATA%, and recent Downloads. - Terminate the
ctrl.exeprocess and remove associated persistence mechanisms (scheduled tasks, registry run keys). - Block the C2 IP/domain at the perimeter firewall.
- Rotate credentials for any accounts that were active on the compromised host—assume all credentials are compromised.
- Hunt for the same LNK file hash and CTRL binary across the broader environment.
- Preserve forensic images for analysis before reimaging the host.
Mitigation & Remediation
| Priority | Action | Details |
|---|---|---|
| Critical | Restrict outbound RDP | Block TCP 3389 outbound at the perimeter firewall for all hosts except authorized jump servers |
| Critical | Monitor LNK execution | Deploy EDR rules that flag process creation events where the parent is explorer.exe and command-line arguments exceed a threshold length or contain encoded content |
| High | Email attachment filtering | Block or quarantine .lnk files in email attachments at the mail gateway |
| High | Restrict .NET execution | Use application control policies (AppLocker, WDAC) to prevent execution of unsigned .NET binaries from user-writable directories |
| Medium | User awareness training | Educate users that shortcut files can execute hidden commands—treat unexpected .lnk files with the same caution as executable attachments |
| Medium | Network segmentation | Ensure RDP access is only available through approved jump servers with MFA, not directly from user workstations |
| Medium | Outbound traffic analysis | Deploy network monitoring that detects FRP/reverse proxy patterns—persistent single-destination connections on high ports from non-browser processes |
Timeline
| Date | Event |
|---|---|
| March 2026 | Censys publishes research on the CTRL toolkit distributed via malicious LNK files |
| March 2026 | Trend Micro ZDI reports widespread abuse of LNK handling flaw (ZDI-CAN-25373) by multiple state-sponsored groups |
| March 2026 | Microsoft classifies the flaw as low severity; no patch released |
Sources & References
- The Hacker News. Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels. Link
- Cybernews. Windows link files spread hidden malware. Link