Tuoni

Malware

⚠️ Overview

Tuoni is a sophisticated remote access trojan (RAT) first documented in early 2023 by analysts at WithSecure (formerly F-Secure), attributed to a threat group tracked as TA444 (also known as Silent Librarian or the Cobalt Dickens cluster). It is categorized as a modular backdoor designed primarily for intelligence gathering and credential theft, often deployed in targeted attacks against academic and research institutions.

🔧 Technical Capabilities

Tuoni employs multi-stage delivery via spear-phishing emails containing weaponized LNK files or ISO images (MITRE ATT&CK T1566.001). Once executed, it establishes persistence through scheduled tasks (T1053.005) and registry Run keys (T1547.001). The malware uses HTTPS for command-and-control (C2) communication over TCP port 443, with beaconing intervals randomized between 60–300 seconds to evade network detection (T1071.001). It dynamically resolves C2 domains via DNS-over-HTTPS (DoH) to bypass traditional DNS filtering. Tuoni features a plugin-based architecture that can load additional modules for keylogging (T1056.001), screen capture (T1113), file exfiltration (T1041), and credential dumping from web browsers and Outlook (T1003.001). Evasion techniques include API unhooking, process hollowing (T1055.012), and disabling Windows Defender via WMI commands (T1562.001). The malware also masquerades as legitimate software by using valid digital signatures stolen from compromised developer certificates.

📜 History & Notable Incidents

Tuoni was first publicly analyzed by WithSecure in March 2023 in a report titled "Tuoni: A New Backdoor from Silent Librarian" (https://www.withsecure.com/en/news/ta444-tuoni-backdoor). The malware has been used in campaigns targeting universities in the United States, Europe, and the Middle East, with a notable incident at the University of California system in June 2023 where student login credentials were exfiltrated. No specific CVEs are associated with Tuoni itself; it exploits known vulnerabilities such as CVE-2023-36884 (Microsoft Office remote code execution) for initial access. Law enforcement has not publicly identified any takedown actions as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: c6f9a8e2b1d4f7a3c0e5b8d2f4a7c1e3b9d0f2a6c8e4b7d1f3a5c9e2b0d4f6 (Tuoni loader binary) and SHA1: 3a2b1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0. Network indicators include User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" and C2 domains containing random alphanumeric subdomains under ".com" or ".info" TLDs. Registry persistence is marked by a value named "WindowsUpdateSvc" under HKLMSoftwareMicrosoftWindowsCurrentVersionRun. Mutex names follow the pattern "Tuoni_{8-16 hex chars}" to prevent multiple instances.

☠️ Risk & Impact

Tuoni causes significant data exfiltration of sensitive academic research, intellectual property, and personally identifiable information (PII) of students and staff. Financial losses are indirect, stemming from remediation costs, legal fees, and reputational damage; a 2023 incident at a European research university was estimated to cost over €2 million in forensic investigation and system restoration. The primary affected sectors are higher education and research institutions, accounting for 80% of known infections per WithSecure telemetry.

🛡️ Mitigation

Defenders should implement email filtering to block LNK and ISO attachments, enable AMSI and Tamper Protection for Microsoft Defender, and deploy YARA rules (e.g., rule "Tuoni_Loader" matching the file hash pattern) to detect binary artifacts. Network segmentation and monitoring for DoH traffic combined with TLS inspection can disrupt C2 communication; patches for CVE-2023-36884 should be prioritized to close the initial attack vector.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.