Skip to content

Instantly share code, notes, and snippets.

@anorthern-censys

anorthern-censys/CTRL_INDEX.md

Last active March 11, 2026 16:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anorthern-censys/6a84e8c4ab4bf37904e70e36c8ef2c7f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anorthern-censys/6a84e8c4ab4bf37904e70e36c8ef2c7f to your computer and use it in GitHub Desktop.
Download ZIP
CTRL attack chain index
Raw
CTRL_INDEX.md

CTRL Attack Chain - Artifact Index

Single index for all decompiled and extracted artifacts from the hui228.ru / CTRL toolkit.

Stage 0 – LNK PowerShell loader
3-layer base64: command line, Layer 1 + Layer 2 dropper scripts

https://gist.github.com/anorthern-censys/aa3c29b1eafac8c67f82220f89864b63

Stage 1 – LNK stager (StandaloneProgram)
UAC bypass, payload download, persistence, backdoor user

https://gist.github.com/anorthern-censys/3dd1f553656d39c14fa67cbaed149ec6

Stage 2 – ctrl.exe AES loader
Decrypts and runs embedded C2 payload via Assembly.Load()

https://gist.github.com/anorthern-censys/49493f0ca16e2f73a86fc8fd46cb54a6

Stage 3 – ctrl C2 payload
Credential harvester, keylogger, toast spoofing, RDP shadow, pipe C2

https://gist.github.com/anorthern-censys/59e2dcd9612c7064942cee0faeba0a5c

Stage 4 – FRPWrapper
AES-decrypts embedded FRP v0.65.0 Go DLL, manual PE loader

https://gist.github.com/anorthern-censys/abfde26ac3b15856de3b2afc2737f8ba

Stage 5 – RDPWrapper
Patches termsrv.dll, RDP Wrapper, Defender exclusion, unlimited RDP

https://gist.github.com/anorthern-censys/9fff148661ec2a8ac3dd18e9ce54bdff

Tooling – Payload decryption script
decrypt_payloads.py – extracts AES-encrypted payloads from ctrl.exe and FRPWrapper.exe

https://gist.github.com/anorthern-censys/dcf530769fcde7795320db5fd7c01eb8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment