That’s precisely what Morphisec Threat Labs revealed in a recent investigation into a thwarted attack targeting a major U.S. real estate company.
The campaign wasn’t a typical phishing attack; it leveraged the Tuoni command-and-control
Unlike traditional malware that drops payloads on disk, Tuoni operated entirely in memory, leaving no trace for antivirus or endpoint detection tools to analyze. The attack combined multiple advanced techniques, including steganography, AI-enhanced loaders, and reflective memory loading.
Malicious payloads were concealed inside benign-looking BMP image files, making them invisible to standard security scanners. To add another layer of deception, AI-generated loaders dynamically altered their code at runtime to obscure execution paths and evade behavioral analytics.
This allowed the malware to bypass even well-tuned EDR systems. Once executed in memory, Tuoni’s modular C2 framework was capable of credential theft, lateral movement, and the eventual deployment of ransomware, all without writing a single file to disk.
Morphisec noted that this attack was designed not to trigger alerts but to remain dormant and undetected, harvesting user data and credentials until operators were ready to escalate to a destructive stage.
Traditional defenses depend on signatures, file analysis, and behavioral monitoring, all of which are ineffective against fileless techniques.
In this case, there were no files to scan, no footprints on disk, and no suspicious behavior registered in logs. Even sandboxing failed to identify malicious activity because the payload relied on in-memory execution and dynamic code generation.
Morphisec’s prevention-first platform stopped the attack before it was executed. Its memory defense technology intercepted the reflective loader, halting credential harvesting and blocking C2 communication with the Tuoni infrastructure associated with the Pyramid C2 architecture the result: no alerts, no dwell time, and no breach.
The incident highlights how attackers are increasingly automating intrusion stages with AI, reducing skill barriers and accelerating attack development.
It also underscores the need for enterprises to adopt a “fileless-first” approach to the threat landscape, where prevention at the memory layer is as critical as network and endpoint visibility.
Morphisec’s findings serve as a warning: ransomware is now the final stage of a much longer, stealth-driven campaign. Organizations must move beyond detection-based defense and proactively secure endpoints, credentials, and memory processes to stay ahead of these evolving threats.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Tuoni C2 Malware Uses AI-Enhanced Stealth Techniques to Compromise Major U.S. Real Estate Firm appeared first on Cyber Security News.
On Friday afternoon, Donald Trump posted on Truth Social, accusing Anthropic, the AI company behind…
For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain,…
A Go-based command-and-control (C2) framework originally marketed within Chinese-speaking offensive security communities has been quietly…
A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across…
New filings announced last week aim to stop the Trump administration from further restricting federal…
Bluepoint, the studio behind the successful Shadow of the Colossus and Demon's Souls remakes, reportedly…
This website uses cookies.