Major U.S.-based real-estate company hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A major U.S.-based real-estate company faced an attempted cyber intrusion in mid-October 2025 that relied on Microsoft Teams impersonation and a staged PowerShell delivery chain. The attack sought to run TuoniAgent.dll for remote control through the Tuoni C2 framework, but it was ultimately unsuccessful. The intrusion matters because it combined social engineering, steganography, and in-memory execution to increase stealth.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware Activity
H score72
First: 08.01.2026 19:30
Last: 08.01.2026 19:30
Sources 1
About this happening:
**GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware ActivityAbout this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
Tuoni C2 targeted intrusion attempt against US real estate company
Malware Activity
H score22
First: 18.11.2025 16:45
Last: 18.11.2025 16:45
Sources 1
About this happening:
The **Tuoni C2 framework** was used in a targeted intrusion attempt against a **major US real estate company** in **October 2025**, showing how attackers are combining **social en...
Tuoni C2 targeted intrusion attempt against US real estate company
Malware ActivityAbout this happening: The **Tuoni C2 framework** was used in a targeted intrusion attempt against a **major US real estate company** in **October 2025**, showing how attackers are combining **social en...
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware Activity
H score22
First: 24.10.2025 15:15
Last: 24.10.2025 15:15
Sources 1
About this happening:
**PhantomCaptcha** delivered a **WebSocket RAT** on **October 8** through a **multi-stage PowerShell** chain that let operators run commands, exfiltrate data, and load more malwar...
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware ActivityAbout this happening: **PhantomCaptcha** delivered a **WebSocket RAT** on **October 8** through a **multi-stage PowerShell** chain that let operators run commands, exfiltrate data, and load more malwar...
Timeline
-
18.11.2025 16:00 2 articles · 7mo ago
Major U.S.-based real-estate company hit by network compromise
Initial DisclosureThe intrusion started with a **Microsoft Teams impersonation** lure in **mid-October 2025** that was meant to get an employee to run a **PowerShell** command. That opening move was designed to establish access before the staged payload delivery began.
Show sources
- Researchers Detail Tuoni C2's Role in an Attempted 2025 Real-Estate Cyber Intrusion — thehackernews.com — 18.11.2025 16:00
- Researchers Detail Tuoni C2's Role in an Attempted 2025 Real-Estate Cyber Intrusion — thehackernews.com — 18.11.2025 16:00