A highly advanced intrusion attempt using the emerging Tuoni C2 framework targeted a major US real estate company in October 2025.
The attack, observed by Morphisec and described in an advisory published today, combined social engineering, steganography and in-memory execution.
The campaign demonstrates how threat actors are combining modular command-and-control (C2) tools with AI-assisted delivery methods to circumvent conventional defenses.
Social Engineering as the Launch Point
According to Morphisec, the operation likely began with a Microsoft Teams impersonation scheme.
Attackers appear to have posed as trusted contacts to persuade an employee to run a malicious PowerShell one-liner. That command spun up a hidden PowerShell process and retrieved a secondary script from a remote server. Researchers noted that the loader contained scripted comments and modular structuring patterns often associated with AI-generated code.
Once executed, the script downloaded an innocuous-looking BMP file and utilized least significant bit (LSB) techniques to extract embedded shellcode. This steganographic approach helped conceal the next-stage payload. The extracted code was then run entirely in memory, avoiding disk artifacts.
Read more on in-memory execution: Combating the Invisible Threat of In-Memory Cyber-Attacks
Dynamic Execution and Reflective Loading
Instead of making direct API calls that might trigger security tools, the script compiled inline C# and used delegate-based invocation through Marshal.GetDelegateForFunctionPointer. This indirection allowed the payload to resolve and execute functions dynamically, complicating detection.
The process ultimately reflectively loaded TuoniAgent.dll without leaving traditional indicators.
Tuoni itself is a modular post-exploitation framework that communicates over HTTP, HTTPS or SMB. It supports a broad set of system manipulation commands, automatic privilege escalation to SYSTEM and obfuscated exports that decode only during runtime.
Its configuration data, hidden in an encoded resource section, pointed to two C2 servers connected to the campaign.
Growing use of AI-assisted Loaders
The incident reflects several broader trends in attacker tradecraft. Threat groups are increasingly adopting free, well-documented C2 frameworks, such as Tuoni, which can be easily paired with custom loaders.
Many of these loaders now incorporate AI-generated code components, steganography and dynamic delegation to evade monitoring. Traditional antivirus and endpoint detection and response (EDR) tools struggle with such in-memory, reflective techniques, making modular C2 delivery chains more attractive to threat actors.
“The Tuoni C2 attack demonstrates how attackers are leveraging AI and advanced techniques like steganography and in-memory execution to evade traditional defenses,” Morphisec told Infosecurity.
“[Our] Automated Moving Target Defense (AMTD) stopped the attack pre-execution, underscoring the importance of prevention-first strategies. With tools like Tuoni becoming increasingly accessible, immediately adopting a preemptive cyber defense first approach is essential to staying ahead of these evolving threats.”
