Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework

CTRL is a previously undocumented Russian‑language .NET remote access toolkit delivered via a socially engineered LNK dropper that executes a multi-layer PowerShell/.NET stager in memory. The toolkit provides validated Windows Hello credential harvesting, persistent keylogging, automated RDP enablement and hijacking, and FRP-based reverse tunneling for operator access; Censys observed active infrastructure (hui228.ru and IPs 194.33.61.36, 109.107.168.18) and enumerated host and network indicators for detection and mitigation.