Cybercriminals have shifted their approach to infiltration. Rather than launching quick attacks, they now work silently within networks, stealing important information, and waiting weeks or months before striking.
This is exactly what happened in a recent attack discovered by Morphisec Threat Labs targeting a major U.S. real estate company.
This was not a common phishing campaign aimed at many people at once. Instead, it was a carefully planned attack using the Tuoni command-and-control malware framework, designed to hide and avoid detection using advanced techniques like AI-generated code, hidden images, and memory-only execution.
The attack marked a significant shift in how modern malware operates. Traditional attacks deposit files on a computer’s hard drive, leaving traces for security tools to find.
The Tuoni malware never touched the disk. It avoided signature detection, behavioral monitoring, and endpoint detection tools.
Without proper prevention-focused protection, this malware would have remained hidden inside the network indefinitely, stealing credentials and preparing the ground for ransomware deployment.
The sophistication of this attack demonstrates how threat actors now engineer malware specifically to evade all traditional security layers.
Morphisec analysts identified the malware through careful monitoring of advanced evasion techniques becoming increasingly common in sophisticated attacks.
The malware used steganography to hide harmful code inside image files that appeared innocent to security scanners. It also employed AI-enhanced loaders that generated code dynamically to mask how the malware ran and escape detection.
The modular Tuoni C2 framework was built to steal login credentials, maintain long-term access, and prepare systems for ransomware attacks on a large scale.
Understanding the Steganography Attack Vector
The infection mechanism reveals how Tuoni uses hidden images as delivery vehicles for its payload. Steganography hides malicious data inside normal-looking BMP image files, making them invisible to traditional scanning tools that look for known malware signatures.
When a target opens what appears to be a harmless image, the malware uses reflective memory loading to place itself directly into the computer’s memory without creating any files on disk.
This means no files appear in directories, no signatures are written to scan, and no behavioral alerts trigger. Security tools scanning for files on disk see nothing unusual.
The malware operates entirely in temporary memory, executing the loader and establishing communication with Tuoni infrastructure without leaving any trace.
This memory-only execution defeats antivirus software, EDR systems, and even advanced sandboxing because these tools rely on detecting files or unusual behaviors on disk.
The Tuoni framework then uses this silent position to steal user credentials, maintain persistence through multiple sessions, and prepare systems for ransomware deployment.
Without detection-focused tools detecting this activity, the attack remains unnoticed, giving attackers months to harvest sensitive data and expand their reach within the network.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
