What a Major Real Estate Firm’s Encounter with Tuoni C2 Malware Reveals About Evolving Threats

Adversaries are abandoning traditional file-based attacks to bypass modern defenses.

A cyberattack targeting a major U.S. real estate firm recently put this shift on full display, with the firm narrowly stopping a potentially devastating ransomware incident.

The breach started with social engineering: attackers impersonated trusted colleagues on Microsoft Teams to trick employees into executing a malicious PowerShell command.

This command bypassed the disk entirely, launching a hidden background process via the Tuoni framework — a C2 platform used to deploy memory-resident malware that leaves traditional scanners in the dark.

The Tuoni Framework: Stealth by Design

By functioning entirely in RAM, memory-resident (or fileless) malware bypasses legacy security tools that focus on file-based threats. Because there is no physical footprint to scan, attackers can infiltrate and operate within a network while remaining invisible to traditional detection methods.

While memory-resident malware is able to bypass local security, it still requires network access for command-and-control and data theft. Because this traffic is a potential giveaway, Tuoni conceals its activity with:

• Protocol mimicry: It disguises unauthorized traffic as trusted HTTP/HTTPS, DNS, or SMB, ensuring malicious communication blends seamlessly with routine web browsing.
• Persistent remote control: It establishes a stable, invisible foothold that maintains a long-term C2 connection between the attacker and the compromised environment.
• Dynamic payload execution: It enables threat actors to deploy and run additional malware on-demand, adapting the attack in real-time.

To achieve this fileless state, the framework relies on AI-enhanced loaders and steganography to hide its secondary stage. Malicious shellcode is embedded within the pixels of a BMP image file, which traditional scanners ignore as harmless media.

Once the PowerShell script extracts this code it loads the TuoniAgent.dll directly into RAM. This process ensures the malware never touches the physical disk thereby hiding from signature-based antivirus and EDR tools that can only scan static files.

The Network as an Immutable Record

Threat actors weaponize tools like Tuoni to hide in plain sight on the network, evading signature-based controls. But imitation is imperfect. Even when traffic looks normal, its behavior often isn’t.

Command-and-control activity introduces detectable inconsistencies: unusual request cadences, atypical protocol usage, abnormal data volumes, and outbound connections that don’t align with expected application behavior.

These signals persist at the network layer, even when malware remains memory-resident, and endpoint defenses see nothing. By continuously analyzing network behavior rather than relying on known indicators, security teams can expose and disrupt memory-resident threats — closing the gap that attackers rely on to operate undetected.

Learn more about the latest attacker trends and how network visibility uncovers stealthy threats in the Global Threat Landscape Report.