Researchers at Censys have found a remote access toolkit that came from Russia. Malicious Windows shortcut (LNK) files that look like private key folders spread the toolkit. The LNK file dropper is meant to run a hidden PowerShell command that deletes any existing persistence mechanisms from the victim's Windows Startup folder.

One of the commands in the toolkit lets it send toast notifications that look like they come from web browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron. This is done to steal more credentials or deliver other payloads. "The toolkit shows how to keep operations safe. Censys said, "None of the three hosted binaries have hard-coded C2 addresses."

The attack surface management platform said that in February 2026, it found CTRL in an open directory at 146.19.213[.]155. The toolkit says, "All data exfiltration happens through the FRP tunnel via RDP. The operator connects to the victim's desktop and reads keylog data through the ctrl named pipe."

"This architecture leaves behind very few network forensic artifacts compared to traditional C2 beacon patterns," it goes on. It says, "The CTRL toolkit shows a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth." You can now pre-order the toolkit for $99. A two-year contract is also available for $199, and a three-year contract is also available.

Visit the tool kit's website or the company's official blog for more information.

If you need private help, call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/.