The mortal shortcut: thus a simple .HNK disguised steals credentials and rides a FRP tunnel to master your RDP

Security researchers have dug up a Russian-origin remote access tool that is distributed through malicious (.LNK) Windows shortcuts camouflaged as folders containing private keys. The Censys attack surface management platform was the one that gave the alarm voice about this custom set of utilities in .NET, which combines multiple binaries to steal credentials, record keyboard pulsations, kidnap RDP sessions and create reverse tunnels by Fast Reverse Proxy (FRP). For context and follow-up of the original research, the Censys research section is available on your blog: https: / / censys.io / blog.

The input vector is simple and effective from the attacker's point of view: a .LNK file with a harmless look - in the documented case it had a name similar to "Private Key # kfxm7p9q _ yek.lnk" - uses the icon of a folder for the victim to double-click. This gesture triggers a sequence by stages in which each phase disfigures or decompresses the next one until the complete tool is deployed. The dropper in the direct access invokes a hidden executed PowerShell command, eliminates previous persistence mechanisms in the Windows Start folder and decodifies in memory a blob encoded in Base64 containing the following charger.

The following manager tests the TCP connectivity to a remote server and downloads additional components, while readjusting firewall rules, creates programmed tasks for persistence, adds local back door users and lifts a cmd.exe server into a specific port (5267) accessible through the FRP tunnel operated by the attacker. The implementation of the tunnel is based on a Go-written bookstore that is injected in memory to establish reverse channels both RDP and TCP; the FRP project legitimately used for tuned is published in GitHub and helps to understand the mechanisms that abuse it: https: / / github.com / fatedier / frp.

One of the downloaded executables, identified as ctrl.exe, acts as a .NET charger and starts a management platform - the "CTRL Management Platform" - that can operate in server or client mode according to the arguments with which it is launched. The communication of command and control is not performed as a traditional outgoing traffic: instead, the tool creates a named Windows pipe (named pipe) to exchange orders locally and delegates all network interaction to a single RDP session transferred by the FRP tunnel. That means that, except for the RDP session, there are hardly any C2 beacons on the network that allow conventional detections to identify the intrusion., a tactic designed to reduce the forensic footprint in the communications.

The capabilities of the package are multiple and fat in its design: system information collection, execution of a credentials theft module that simulates the Windows Hello PIN verification window, installation of a keylogger that captures everything typed and saves it in C:\ Temp\ keylog.txt by means of a keyboard hook, and the possibility of showing "tast" type notifications that are passed through different browsers to induce the victim to enter credentials or execute additional charges. The credentials phishing module is implemented as a WPF application with an interface that imitates PIN verification; it also blocks keyboard shortcuts such as Alt + Tab or Alt + F4 and uses interface automation (SendKeys) to validate the real PIN in parallel and, yet, record the fraudulent input when produced.

The arsenal is supplemented by two key binaries: one that loads in memory the reverse tunnel component (FRPWrapper.exe) and one that allows to multiply concurrent RDP sessions (RDPWrapper.exe). Censys stresses that none of these executables include embedded control addresses, and that all data exfiltration is done through the FRP tunnel when writing or reading from the local named pipe, another design choice oriented to operational discretion.

This case is useful to understand a trend that analysts have observed: custom tools, created by single or small operators, that prioritize operational safety above offering an extensive catalogue of functions. By concentrating RDP communication through reverse tunnels, much of the beaconing patterns that detect many network-based defence solutions are avoided, and this complicates early detection.

What can be done to reduce risk and detect such threats? The first barrier is the prevention of deception: to treat with skepticism direct access received by mail or downloaded from unreliable locations and, in general, to avoid opening files whose origin is not verified. At the technical level, it is appropriate to review whether there are unexpected scheduled tasks, recent changes in firewall rules, the emergence of unknown local users and the existence of unusual .NET processes; tools such as Autouns and Sysinternals Process Explorer help to inspect rips and processes(documentation: https: / / docs.microsoft.com / en-us / sysinternals / download / autoruns). It is also prudent to evaluate and strengthen RDP configuration according to Microsoft guides to avoid unauthorized remote access: https: / / learn.microsoft.com / en-us / windows-server / remote / remotely -desktop-services / rds-plan-security.

From network detection, although the tactic uses RDP on a tunnel to minimize traces, it is possible to search for indirect signals: outgoing connections to unusual FRP servers, activity in unusual ports, transfer of files through remote sessions, or creation of sockets to atypical ports by processes that should not open them. In the endpoint plane, it is appropriate to monitor the creation of named pipes and continuous writing in temporary key registration files, as well as to enable enhanced protection against the execution of scripts and Office. The MITRE ATT & CK framework offers related technical and tactical descriptions that can help classify and prioritize detections, for example with respect to keylogging and user execution: https: / / attack.mitre.org / techniques / T1056 / and https: / / attack.mitre.org / techniques / T1204 /.

Finally, it should be remembered that legitimate technologies like Windows Hello can become lures when their interface is emulated by an attacker. To better understand how Windows Hello works and why your IU can be supplanted, official documentation offers a review of its design and the protections it provides: https: / / learn.microsoft.com / en-us / windows / security / identity-protection / hello-for-business / hello-overview.

The finding shows that adversaries continue to refine methods to stay under the radar and that security teams must combine endpoint controls, network monitoring and user training to close the exposure window. The combination of social engineering (a convincing .NK), memory execution, silent persistence and remote desktop tuned is effective and, without a layer defense approach, difficult to detect until the damage is already done. Maintaining up-to-date systems, restricting the exposure of remote services and monitoring the above-mentioned signals can make the difference between a frustrated attempt and a successful intrusion.