{"id":3621,"date":"2025-11-22T23:34:35","date_gmt":"2025-11-22T23:34:35","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/22\/ai-enhanced-tuoni-framework-targets-major-us-real-estate-firm\/"},"modified":"2025-11-22T23:34:35","modified_gmt":"2025-11-22T23:34:35","slug":"ai-enhanced-tuoni-framework-targets-major-us-real-estate-firm","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/11\/22\/ai-enhanced-tuoni-framework-targets-major-us-real-estate-firm\/","title":{"rendered":"AI-Enhanced Tuoni Framework Targets Major US Real Estate Firm"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A highly advanced intrusion attempt using the emerging Tuoni C2 framework targeted a major US real estate company in October 2025.<\/p>\n<p>The attack, observed by Morphisec and described in an advisory published today, combined social engineering, steganography and in-memory execution.<\/p>\n<p>The campaign demonstrates how threat actors are combining modular command-and-control (C2) tools with AI-assisted delivery methods to circumvent conventional defenses.<\/p>\n<h2>Social Engineering as the Launch Point<\/h2>\n<p>According to Morphisec, the operation likely began with a Microsoft Teams impersonation scheme.\u00a0<\/p>\n<p>Attackers appear to have posed as trusted contacts to persuade an employee to run a malicious PowerShell one-liner. That command spun up a hidden PowerShell process and retrieved a secondary script from a remote server. Researchers noted that the loader contained scripted comments and modular structuring patterns often associated with AI-generated code.<\/p>\n<p>Once executed, the script downloaded an innocuous-looking BMP file and utilized least significant bit (LSB) techniques to extract embedded shellcode. This steganographic approach helped conceal the next-stage payload. The extracted code was then run entirely in memory, avoiding disk artifacts.<\/p>\n<p><em>Read more on in-memory execution: Combating the Invisible Threat of In-Memory Cyber-Attacks<\/em><\/p>\n<h2>Dynamic Execution and Reflective Loading<\/h2>\n<p>Instead of making direct API calls that might trigger security tools, the script compiled inline C# and used delegate-based invocation through Marshal.GetDelegateForFunctionPointer. This indirection allowed the payload to resolve and execute functions dynamically, complicating detection.<\/p>\n<p>The process ultimately reflectively loaded TuoniAgent.dll without leaving traditional indicators.<\/p>\n<p>Tuoni itself is a modular post-exploitation framework that communicates over HTTP, HTTPS or SMB. It supports a broad set of system manipulation commands, automatic privilege escalation to SYSTEM\u00a0and obfuscated exports that decode only during runtime.<\/p>\n<p>Its configuration data, hidden in an encoded resource section, pointed to two C2\u00a0servers connected to the campaign.<\/p>\n<h2>Growing use of AI-assisted Loaders<\/h2>\n<p>The incident reflects several broader trends in attacker tradecraft. Threat groups are increasingly adopting free, well-documented C2 frameworks, such as Tuoni, which can be easily paired with custom loaders.<\/p>\n<p>Many of these loaders now incorporate AI-generated code components, steganography and dynamic delegation to evade monitoring. Traditional antivirus and endpoint detection and response (EDR) tools struggle with such in-memory, reflective techniques, making modular C2 delivery chains more attractive to threat actors.<\/p>\n<p>\u201cThe Tuoni C2 attack demonstrates how attackers are leveraging AI and advanced techniques like steganography and in-memory execution to evade traditional defenses,\u201d\u00a0Morphisec told <em>Infosecurity<\/em>.<\/p>\n<p>\u201c[Our] Automated Moving Target Defense (AMTD) stopped the attack pre-execution, underscoring the importance of prevention-first strategies. With tools like Tuoni becoming increasingly accessible, immediately adopting a preemptive cyber defense first approach is essential to staying ahead of these evolving threats.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A highly advanced intrusion attempt using the emerging Tuoni C2 framework targeted a major US real estate company in October 2025. The attack, observed by Morphisec and described in an advisory published today, combined social engineering, steganography and in-memory execution. The campaign demonstrates how threat actors are combining modular command-and-control (C2) tools with AI-assisted delivery<\/p>\n","protected":false},"author":2,"featured_media":3622,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3621-77856554-ee9c-4e93-9ffa-29848fbe088a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3621"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3621\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3622"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3621"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}