Tuoni C2 targeted intrusion attempt against US real estate company
Malware Activity
Summary
Hide ▲
Show ▼
The Tuoni C2 framework was used in a targeted intrusion attempt against a major US real estate company in October 2025, showing how attackers are combining social engineering, steganography, and in-memory execution to evade detection. The chain used Microsoft Teams impersonation and a malicious PowerShell loader to stage the payload. Morphisec said its AMTD blocked the attack pre-execution.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
H score23
First: 06.01.2026 14:13
Last: 06.01.2026 14:13
Sources 1
About this happening:
**SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware ActivityAbout this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
Timeline
-
18.11.2025 16:45 2 articles · 7mo ago
Tuoni C2 targeted intrusion attempt against US real estate company
Initial DisclosureThe intrusion appears to have started with a **Microsoft Teams impersonation** that convinced an employee to run a **malicious PowerShell one-liner**. That initial execution step fetched the next-stage script and prepared the payload delivery chain.
Show sources
- AI-Enhanced Tuoni Framework Targets Major US Real Estate Firm — www.infosecurity-magazine.com — 18.11.2025 16:45
- AI-Enhanced Tuoni Framework Targets Major US Real Estate Firm — www.infosecurity-magazine.com — 18.11.2025 16:45