A highly advanced remote access toolkit, dubbed “CTRL,” is being distributed through malicious Windows shortcut (LNK) files disguised as private key folders, according to attack surface management firm Censys.
The CTRL toolkit is custom-built using the .NET framework and consists of multiple executables designed to carry out credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling. Researchers found the toolkit hosted in an open directory on a remote server in February 2026.
“All artifacts remain absent from VirusTotal, Hybrid Analysis, and public threat intelligence which indicates a privately developed toolkit not yet in broad circulation,” the report notes.
The infection chain begins with a weaponized LNK file named “Private Key #kfxm7p9q_yek.lnk,” which mimics a legitimate folder icon to lure users into opening it. Once executed, the file launches a hidden PowerShell command that initiates a multi-stage attack. Each stage decrypts or decompresses the next payload.
The malware establishes persistence by modifying firewall rules, creating scheduled tasks, and adding backdoor user accounts. It also removes existing startup defenses and opens a command shell accessible via a reverse proxy tunnel.
The ctrl.exe component acts as a loader for the CTRL Management Platform, which can operate in either server or client mode. Communication between components occurs through Windows named pipes (ctrlPipe), ensuring that command-and-control traffic remains local to the infected system.
The toolkit can harvest credentials through a convincing Windows Hello phishing interface, log keystrokes to a local file, and exfiltrate sensitive data. It also supports browser impersonation via fake notifications to trick users into providing further credentials or executing additional payloads.