Tuoni
Tuoni is a command-and-control and red teaming/post-exploitation framework first released on GitHub in February 2024. Reporting in the provided content describes it as a relatively new tool that has been abused in real-world intrusions despite its red-team origin. Observed use is focused on Windows systems, including execution of a Tuoni client via PowerShell download and rundll32, stealthy loading of TuoniAgent.dll, and delivery as a final DLL payload by an OLLVM-obfuscated loader.
The content links Tuoni to multiple intrusion chains. In one phishing campaign targeting Russian companies involved in business-process automation software, attackers used malicious archives, LNK files, HTA scripts, and PowerShell; on one infected host they downloaded a Tuoni client from 194.87.252[.]40:9375 and executed it with rundll32. Kaspersky also reported Operation ForumTroll using spear-phishing against Russian scholars in political science, international relations, and global economics at major universities and research institutions. That campaign impersonated eLibrary via e-library[.]wiki, delivered personalized ZIP archives containing malicious LNK files, used PowerShell to fetch payloads, established persistence through COM hijacking at HKCR\CLSID{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32, and ultimately deployed Tuoni as the final payload. ForumTroll infrastructure included fastly.net hosts such as perf-service-clients2.global.ssl.fastly[.]net, bus-pod-tenant.global.ssl.fastly[.]net, and status-portal-api.global.ssl.fastly[.]net.
Morphisec reported threat actors abusing Tuoni in an unsuccessful attack against a major U.S. real estate firm. In that case, the intrusion allegedly began with social engineering that led an employee to run a malicious PowerShell one-liner. The chain then used a concealed PowerShell process, a secondary script with AI-generated comments, BMP downloads, shellcode extraction, inline C# compilation, delegate-based invocation, and reflective in-memory execution to load TuoniAgent.dll. The content states that Tuoni was used with steganography, AI-generated code/comments, and memory-only execution to evade detection, steal credentials, maintain long-term access, and prepare systems for ransomware deployment. The provided material also references Tuoni in network and endpoint detection content, including HTTP C2 framework user-agent analytics and suspicious C2 named-pipe analytics.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
Lateral Movement
1 technique
Lateral Movement
Command and Control
4 techniques
Command and Control
A new wave of cyberattacks has emerged using the Tuoni C2 framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory.
MITRE ATT&CK Techniques ID Technique Tactic T1071.001 Web Protocols Command And Control
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware/tool referenced in relation to suspicious C2 named pipe activity.
Emerging C2/red-teaming framework used in a real-world intrusion attempt; delivers stealthy in-memory payloads.
Associated Analytic Story ... Tuoni ...
Tuoni is a sophisticated command-and-control (C2) malware framework designed for stealthy, fileless operation. It uses advanced evasion techniques such as AI-generated code, steganography (hiding payloads in images), and memory-only execution to avoid detection by traditional security tools. Tuoni is modular, capable of stealing credentials, maintaining long-term access, and preparing systems for ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.