MALWARE FAMILY🕵️ ESPIONAGEADVANCED

Tuoni

Internal ID: win.tuoni
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to its Github repo, Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises. Developed using Java for robustness, Docker for versatility, and featuring an intuitive web browser interface, it supports and streamlines cyber exercises. With its modular, extendable plugin system, Tuoni offers Red Teamers the flexibility to tailor its capabilities for specific educational and exercise needs. Its user-friendly interface facilitates easy operation and efficient reporting, essential in training environments. Tuoni embodies a commitment to power, adaptability, and collaboration, aimed at empowering Red Teamers with a tool that meets the dynamic demands of modern cyber defense education.

Threat Analysis

Tuoni is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, Tuoni likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeMalware Family
Motivation🕵️ espionage
Sophisticationadvanced
Aliases1

Also Known As

win.tuoni

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.