CTRL malware is a custom .NET toolkit built by a Russian-speaking operator that backdoors Windows hosts through a spoofed Windows Hello PIN screen, patches termsrv.dll for unlimited concurrent RDP sessions, and routes all operator access through Fast Reverse Proxy (FRP) on port 7000. Censys ARC disclosed it on 27 March 2026 after recovering three binaries from an open directory at 146.19.213[.]155. All three had zero VirusTotal or Hybrid Analysis detections at that point.
Delivery: One LNK File
Infection starts with a Windows shortcut named Private Key #kfxm7p9q_yek.lnk, disguised as a folder using SHELL32.dll icon index 3. Double-clicking runs a hidden PowerShell process that decodes a 30,000-character base64 blob through three layers before executing the .NET stager in memory. All internal LNK timestamps are zeroed; PE timestamps are falsified to years between 2044 and 2103. Payloads stage from hui228[.]ru:82/hosted/ on Partner Hosting LTD (AS215826) in Frankfurt. This delivery approach mirrors initial-access patterns covered in the supply chain malware detection guide.
The Windows Hello Credential Harvester
The harvester is a WPF application that clones the Windows Hello PIN screen using the victim’s real account name, photo, and active theme, with Lottie animations pulled from genuine Windows assets. A keyboard hook disables Alt+Tab, Alt+F4, and the Win key. The stolen PIN is validated against the real Windows credential provider before the fake prompt closes, giving victims no indication anything happened. Stolen credentials exfiltrate through the FRP tunnel.
IOC Checklist for CTRL Malware Detection
All indicators are from Censys ARC’s March 2026 report. Any single match is high severity.
File System and Registry
C:\Program Files\RDP Wrapper\with a Defender exclusion for that pathC:\Temp\keylog.txt- LNK with zeroed timestamps and description field value
Polycue - Registry binary values under Explorer keys containing PE payloads
Network
- C2 domain:
hui228[.]ru - FRP relay IPs:
194.33.61.36(Jan-Feb 2026) and109.107.168.18(active from 27 Feb 2026) - Outbound TCP port 7000 to any non-authorised external host
Process Behaviour
- PowerShell launched from Explorer.exe with
-WindowStyle Hiddenand a base64 argument exceeding 10,000 characters takeown.exeoricacls.exetargetingtermsrv.dllfodhelper.exespawning child processes (UAC bypass pattern)- WPF process presenting a Windows Hello UI outside
LogonUI.exe
For FRP tunnel detection queries adapted for Splunk, Elastic, and Sentinel, see the threat hunting playbook.
Response Playbook
Isolate at the switch port or security group, not from within the OS. CTRL’s boot-time scheduled task reinstates persistence on reboot. Revoke all Windows Hello PINs and passwords for any account that authenticated on the host in the past 30 days.
Capture memory before shutdown. The FRP DLL loads in memory via manual PE mapping with no disk artifact. Collect scheduled task XML exports and registry hives before touching the OS.
Block at the perimeter: null-route hui228[.]ru, both FRP relay IPs, and AS215826. Deny outbound TCP 7000 site-wide. Confirm your zero trust architecture is enforcing lateral RDP restrictions between segments.
Rebuild from a clean image. termsrv.dll patching plus Defender exclusion injection make in-place remediation unreliable. Audit Administrators and Remote Desktop Users group membership before reconnecting the host.
Frequently Asked Questions
What is CTRL malware?
CTRL is a custom .NET remote access toolkit attributed to a Russian-speaking operator, disclosed by Censys ARC in March 2026. It chains Windows Hello phishing, RDP hijacking via termsrv.dll patching, keylogging, and FRP reverse tunneling into a post-exploitation package delivered through a single malicious LNK file.
Does antivirus detect CTRL malware?
No. At the time of Censys disclosure on 27 March 2026, all three CTRL binaries had zero detections on VirusTotal and Hybrid Analysis. PE timestamps are deliberately falsified and the FRP component runs entirely in memory, bypassing file-based scanning. Behavioural rules on termsrv.dll writes and port 7000 outbound connections are more reliable.
How does CTRL steal Windows Hello credentials?
CTRL displays a WPF application that visually clones the Windows Hello PIN prompt, populated with the victim’s real account name, photo, and current Windows theme. Keyboard shortcuts for escaping the window are disabled at the OS level. The PIN is validated against the real credential provider before the fake UI closes, so victims notice nothing.
What is the fastest way to confirm a CTRL infection?
Check three things in parallel: presence of C:\Program Files\RDP Wrapper\ with a Defender exclusion for that path, outbound TCP to port 7000 in firewall or EDR logs, and scheduled tasks running encoded PowerShell at boot with no human-readable name or description. Any single match is grounds for immediate network isolation.