- A U.S.-based real estate company was targeted in October 2025 by an attack using the emerging Tuoni command-and-control (C2) framework.
- The attack involved social engineering through Microsoft Teams impersonation to trick an employee into executing a malicious PowerShell command.
- The payload was concealed using steganography inside a bitmap image and executed in memory to avoid detection.
- Tuoni, a red teaming tool available as a free Community Edition on GitHub, was used to establish remote control over the infected machine.
- The initial loader showed signs of AI-generated scripting, highlighting the blend of advanced methods in the attack.
In mid-October 2025, a cyberattack targeted a major U.S.-based real estate company utilizing the recently developed Tuoni command-and-control framework. The intruders employed social engineering tactics, impersonating trusted vendors or colleagues via Microsoft Teams to convince an employee to run a PowerShell command.
This command retrieved a secondary PowerShell script from an external server, kupaoquan[.]com. The script used steganography, a method of hiding data within an image file, by embedding the payload inside a bitmap (BMP) image. The payload extracted shellcode and executed it directly in memory without writing to disk.
The executed payload launched “TuoniAgent.dll,” an agent component of the Tuoni C2 framework, which connects the compromised system to the attacker’s remote server. The Tuoni framework is described as an advanced tool designed for penetration testing and red team operations, and its Community Edition has been publicly available on GitHub since early 2024.
Researchers noted that the initial loader script displayed modular code and comments suggesting it was assisted by Artificial Intelligence in its creation. Although the attack did not succeed, it demonstrated how legitimate security tools can be misused by threat actors.
This incident adds to recent examples of AI-assisted cyber threats, such as those involving the HexStrike AI tool, which simplifies and speeds up exploiting software vulnerabilities.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Faces Market Apathy as Volume and Liquidity Collapse
- Elliptic Unveils VVTEs to Trace Cross-Chain Crypto Bridges
- ChatGPT Down: Users Report Outages, Slow Responses Amid Issues
- Bitcoin Plunges Below $90K Amid Fed Uncertainty, Crash Fears Grow
- Fidelity Launches FSOL, Its First Solana ETF with Staking Feature
