The Censys Attack Research Center (ARC) has found a new remote access toolkit called "CTRL" that comes from Russia This article explores ctrl comes russia. . The toolkit includes credential phishing, keylogging, hijacking of the Remote Desktop Protocol (RDP), and tunneling based on Fast Reverse Proxy (FRP) all in one package.

CTRL is a new type of privately developed, single-operator tool that has so far avoided all public threat intelligence platforms. It was delivered through a single weaponized LNK file. Several technical indicators support the idea that Russia is to blame: There are Russian-language error strings in the FRP wrapper component, a .ru command-and-control (C2) domain, and PDB paths that point to C:\Users\Admin\repos \repos\, and the copyright dates match the development timelines for 2025. We saw the C2 relay infrastructure on two IPs: 194.33.61[.

]36 (active from January to February 2026) and 109.107.168[. ]18 (DNS switched on February 27, 2026).

Both are hosted on ASN215826, a UK-registered autonomous system that Partner Hosting LTD set up in Frankfurt in February 2025. None of the three hosted binaries have hard-coded C2 addresses. The FRP server address and auth token are only in C:\ProgramData\frp\frpc.toml, which is written to at runtime by the in-memory stager.

All PE timestamps are changed to dates between 2044 and 2103 to make it harder to do forensic timeline analysis. The dual-mode ctrl.exe architecture sends all operator interactions through an RDP session that is tunneled through theFRP and a Windows named pipe (ctrlPipe). This means that there is no beacon traffic that can be detected on the network, which is what makes commodity RATs so dangerous. The SSH server that hosted the C2 infrastructure (194.33-33-36) was also not patched for CVE-2024-6387.