Cybersecurity researchers have revealed details of a cyberattack that targeted a major US-based real estate company. This attack included the use of an early command and control (C2) and red team framework known as Tuoni.
“This campaign leveraged the emerging Tuoni C2 framework, a relatively new command-and-control (C2) tool (with a free license) that stealthly delivers in-memory payloads,” Morphisec researcher Shmuel Yuzan said in a report shared with Hacker News.
Tuoni is touted as an advanced C2 framework designed for security professionals, facilitating penetration testing operations, red team engagement, and security assessments. The “community edition” of the software is available for free download from GitHub. The first release was in early 2024.
According to Morphisec, the attack occurred in mid-October 2025, and an unknown attacker may have used social engineering to impersonate Microsoft Teams for initial access. The attacker likely tricked the company’s employees into executing PowerShell commands by posing as a trusted vendor or colleague.
This command downloads a second PowerShell script from an external server (‘kupaoquan'[.]com”) uses steganography techniques to hide the next stage payload inside a bitmap image (BMP). The primary purpose of the embedded payload is to extract and execute shellcode directly in memory.
This will run “TuoniAgent.dll”. This corresponds to an agent that runs inside the target machine and connects to the C2 server (in this case “kupaoquan”).[.]com), which enables remote control.
“While Tuoni itself is a sophisticated but traditional C2 framework, the delivery mechanism showed signs of AI assistance in code generation, as evidenced by scripted comments and the modular structure of the initial loader,” Morphisec added.
Although this attack ultimately failed, it shows that red teaming tools are continually being exploited for malicious purposes. In September 2025, Check Point detailed the use of an artificial intelligence (AI)-powered tool called HexStrike AI to quickly accelerate and simplify vulnerability exploitation.
Source link
