That’s precisely what Morphisec Threat Labs revealed in a recent investigation into a thwarted attack targeting a major U.S. real estate company.
The campaign wasn’t a typical phishing attack; it leveraged the Tuoni command-and-control (C2) malware framework, engineered for stealth, persistence, and complete evasion.
Unlike traditional malware that drops payloads on disk, Tuoni operated entirely in memory, leaving no trace for antivirus or endpoint detection tools to analyze. The attack combined multiple advanced techniques, including steganography, AI-enhanced loaders, and reflective memory loading.
Malicious payloads were concealed inside benign-looking BMP image files, making them invisible to standard security scanners. To add another layer of deception, AI-generated loaders dynamically altered their code at runtime to obscure execution paths and evade behavioral analytics.
This allowed the malware to bypass even well-tuned EDR systems. Once executed in memory, Tuoni’s modular C2 framework was capable of credential theft, lateral movement, and the eventual deployment of ransomware, all without writing a single file to disk.
Morphisec noted that this attack was designed not to trigger alerts but to remain dormant and undetected, harvesting user data and credentials until operators were ready to escalate to a destructive stage.
Traditional defenses depend on signatures, file analysis, and behavioral monitoring, all of which are ineffective against fileless techniques.
In this case, there were no files to scan, no footprints on disk, and no suspicious behavior registered in logs. Even sandboxing failed to identify malicious activity because the payload relied on in-memory execution and dynamic code generation.
Morphisec’s prevention-first platform stopped the attack before it was executed. Its memory defense technology intercepted the reflective loader, halting credential harvesting and blocking C2 communication with the Tuoni infrastructure associated with the Pyramid C2 architecture the result: no alerts, no dwell time, and no breach.
The incident highlights how attackers are increasingly automating intrusion stages with AI, reducing skill barriers and accelerating attack development.
It also underscores the need for enterprises to adopt a “fileless-first” approach to the threat landscape, where prevention at the memory layer is as critical as network and endpoint visibility.
Morphisec’s findings serve as a warning: ransomware is now the final stage of a much longer, stealth-driven campaign. Organizations must move beyond detection-based defense and proactively secure endpoints, credentials, and memory processes to stay ahead of these evolving threats.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Tuoni C2 Malware Uses AI-Enhanced Stealth Techniques to Compromise Major U.S. Real Estate Firm appeared first on Cyber Security News.
Making the leap to space feels like a big departure from the usually grounded horror…
Xbox and Discord have now officially unveiled the new starter edition of Xbox Game Pass…
The infamous hacking group ShinyHunters has struck again, this time targeting Instructure, the company behind…
In a massive, internationally coordinated operation, the Frankfurt am Main Public Prosecutor’s Office – Central…
A popular artificial intelligence repository on Hugging Face was recently found hiding dangerous malware that…
Traditional ransomware disrupts organizations by encrypting data and demanding payment for decryption keys. However, a…
This website uses cookies.