Morphisec Thwarts Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm

Morphisec reports that in October 2025 its AMTD technology stopped a sophisticated attack targeting a major U.S. real estate company that used social-engineering via Microsoft Teams to deliver a PowerShell loader which retrieved a steganography-hidden BMP containing shellcode; the shellcode reflectively loaded TuoniAgent.dll (Tuoni C2), an obfuscated in-memory C2 agent capable of privilege escalation and remote control. The report details the delivery chain, in-memory reflective loading and API delegation evasion techniques, provides decoded configuration and IOCs (206.81.10.0 → kupaoquan.com and a secondary domain), and warns of rapid Tuoni adoption aided by AI-assisted loader development.