Censys reported on the discovery of a previously undocumented remote access toolkit named “CTRL,” assessed to be developed by a Russian-speaking operator. The toolkit is delivered via a weaponized LNK file disguised as a folder and was identified through open directory scanning of exposed infrastructure. At the time of reporting, associated infrastructure, including hui228[.]ru and supporting IPs, remained active and had not appeared in public threat intelligence sources, indicating limited or private circulation. The attack chain relies on a multi-stage, fileless execution process beginning with a malicious LNK that launches obfuscated PowerShell. Payloads are decoded, stored in the registry, and executed in memory to avoid disk artifacts. The toolkit deploys multiple components that enable credential phishing via a realistic Windows Hello interface, continuous keylogging, RDP session hijacking, and reverse proxy tunneling using FRP. Operator access is conducted through RDP over these tunnels, avoiding traditional command-and-control beaconing. Persistence is established through scheduled tasks, registry storage, and hidden administrative accounts, while data collection and operator interaction remain largely local to the compromised host.

Impact: CTRL provides operators with persistent, hands-on-keyboard access while minimizing detectable network activity. Its use of reverse tunneling and local named pipe communication reduces visibility for traditional network-based detections. Compromised systems may experience credential theft, unauthorized RDP access, and long-term persistence with limited forensic artifacts. The lack of public detection signatures increases the risk of undetected compromise in targeted environments.

Recommendation: Organizations should review the source material and assess exposure. Prioritize identifying signs of registry-resident payloads under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ and investigate any unusual binary values such as ShellStateVersion1, IconSizeVersion1, or IconUnderlineVersion1. Review scheduled task creation for anomalies including DriverSvcTask, NetTcpSvc, TermSvcHost, and WindowsHealthMonitor, and validate that no unauthorized persistence mechanisms have been introduced. Monitor for unexpected changes to RDP configurations, including modification of termsrv.dll, installation of RDP Wrapper, or systems enabling concurrent RDP sessions outside normal policy. Investigate local account activity to identify hidden or newly created administrative users, particularly those added to Remote Desktop Users.

Malwarebytes reported a campaign that uses Google Forms as the starting point for malware delivery, rather than a traditional phishing page or direct attachment. The forms impersonate legitimate companies and use business-themed lures such as job interviews, project briefs, and financial documents to convince victims to download ZIP archives. Malwarebytes identified links distributed through platforms including LinkedIn, with archives hosted on services such as Dropbox, filedn.com, fshare.vn, and URL shorteners. The final malware observed in the campaign is PureHVNC, a modular .NET remote access trojan that can remotely control infected devices, collect system and user information, steal browser and wallet data, extract data from apps such as Telegram and Foxmail, install plugins, and establish persistence. The infection chain is multi-stage and designed to reduce detection. The downloaded ZIP typically contains lure documents, an executable, and a malicious DLL used for DLL hijacking. The DLL decrypts strings, performs anti-debugging and sandbox checks, opens decoy PDFs, establishes persistence via the registry Run key, and extracts a secondary archive. That archive is unpacked into a random ProgramData folder and launches an obfuscated Python script that ultimately decodes and runs Donut shellcode. Malwarebytes observed PureHVNC injected into SearchUI.exe in the analyzed case. The malware also used WMI queries to enumerate antivirus products, operating system details, and connected image or camera devices, then created a scheduled task for persistence. Malwarebytes said the campaign targeted organizations in healthcare, government, hospitality, and education across countries including Germany, Canada, the United States, and Australia.

Impact: This campaign presents a practical enterprise risk because it uses trusted services and realistic business workflows to gain execution, then deploys a capable remote access trojan that supports credential theft, wallet theft, plugin delivery, host reconnaissance, and persistent control of the victim system. The use of Google Forms, legitimate file-sharing services, and professional lures increases the likelihood of user interaction, while the multi-stage Python and Donut-based execution chain makes the activity harder to identify through basic static analysis or simple file-based blocking.

Recommendation: Organizations should reinforce user guidance around unsolicited Google Forms, shared ZIP archives, and business documents received through job, partnership, or project outreach, especially when links are hidden behind URL shorteners or redirects. Monitor and or for unexpected DLL sideloading, registry Run key additions such as CurrentVersion\Run\Miroupdate, execution of Python from unusual ProgramData paths, scheduled task creation from user-writable directories, and suspicious WMI queries targeting antivirus inventory.