Full Report
Cybersecurity researchers have disclosed details of a cyber attack targeting a major U.S.-based real-estate company that involved the use of a nascent command-and-control (C2) and red teaming framework known as Tuoni. "The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads,"
Analysis Summary
# Incident Report: Tuoni C2 Framework Compromise Attempt
## Executive Summary
In mid-October 2025, an unknown threat actor attempted to compromise a major U.S. real-estate company utilizing the nascent Tuoni Command and Control (C2) framework. The attack commenced via social engineering through Microsoft Teams impersonation, leading to the execution of a multi-stage PowerShell payload concealed within a bitmap image file. The attempt was thwarted before achieving significant impact, showcasing the emerging threat posed by dual-use red teaming tools being weaponized.
## Incident Details
- **Discovery Date:** Information not explicitly stated, but Morphisec reported details following the incident in November 2025.
- **Incident Date:** Mid-October 2025
- **Affected Organization:** Major U.S.-based real-estate company
- **Sector:** Real Estate
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-October 2025
- **Vector:** Social Engineering via Microsoft Teams Impersonation
- **Details:** The attacker likely posed as a trusted vendor or colleague to deceive an employee into running a PowerShell command.
### Lateral Movement
- **Details:** Not explicitly detailed, but the successful deployment of the TuoniAgent.dll (the C2 agent) implies the successful execution of code post-initial access, allowing for remote command and control.
### Data Exfiltration/Impact
- **Details:** The attack was ultimately unsuccessful. The primary goal appeared to be establishing C2 communication, suggesting reconnaissance and potential data theft were next intended steps.
### Detection & Response
- **How it was discovered:** Reported by Morphisec researchers.
- **Response actions taken:** Morphisec thwarted the attack (specific containment actions are detailed below).
## Attack Methodology
- **Initial Access:** Social engineering via Microsoft Teams impersonation leading to the execution of a dropped PowerShell command.
- **Persistence:** Installation of the `TuoniAgent.dll` post-execution, designed to connect back to the C2 server.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Usage of steganographic tricks to conceal the next-stage payload within a bitmap image (BMP) file, and delivering a stealthy, in-memory payload.
- **Credential Access:** Not specified.
- **Discovery:** Not specified (implied by C2 setup).
- **Lateral Movement:** Not specified.
- **Collection:** Not specified.
- **Exfiltration:** C2 communications established to `kupaoquan[.]com` for remote control, suggesting intent to collect data.
- **Impact:** The attack did not reach significant impact as it was thwarted.
## Impact Assessment
- **Financial:** None reported, as the attack was unsuccessful.
- **Data Breach:** No confirmed data breach.
- **Operational:** No significant operational disruption reported.
- **Reputational:** No public impact mentioned, as the nature of the failure was research-driven discovery.
## Indicators of Compromise
- **Network indicators (Defanged):**
- C2 Server: `kupaoquan[.]com`
- **File indicators:**
- Downloaded PowerShell script (Stage 2)
- Payload concealed in a Bitmap Image (.BMP) file
- `TuoniAgent.dll` (C2 agent)
- **Behavioral indicators:**
- Execution of PowerShell scripts downloading external files.
- In-memory execution of shellcode extracted from a hidden image file.
- Communication to a known external C2 addressing Muoni framework beaconing.
## Response Actions
- **Containment measures:** Morphisec thwarted the attack (details on organizational response not proprietary, but the security vendor stopped the activity).
- **Eradication steps:** Implied remediation steps to clean up deployed stages and secure endpoints where the PowerShell command was run.
- **Recovery actions:** None explicitly detailed, given the attack was stopped early.
## Lessons Learned
- The public availability of "Community Edition" red teaming/pentesting frameworks like Tuoni (released early 2024) is actively being weaponized by threat actors.
- Attackers are using AI-assisted code generation, evident by the structured and modular nature of the initial loader scripts, to create more sophisticated initial access mechanisms.
- Steganography (hiding payloads in image files) remains an effective technique for evading signature-based detection during initial stages.
## Recommendations
- **Prevention measures for similar incidents:**
- Enhance security monitoring to detect in-memory execution and attempts to decode payloads from seemingly benign file types (like BMPs).
- Implement strict process controls and application whitelisting to restrict the execution of PowerShell commands originating from unverified sources, even if delivered via internal platforms like Teams.
- Increase employee training specifically addressing social engineering tactics relying on trusted vendor/colleague impersonation via collaboration tools.
- Review network egress policies to monitor for unrecognized beaconing patterns typical of new C2 frameworks like Tuoni.