• Platform
    Anti-Ransomware Assurance
    Explore our entire preemptive cyber defense platform
    Adaptive Exposure Management
    Infiltration Protection
    Impact Protection
    Incident Response
    Adaptive Recovery
    Automated Moving Target Defense
    Learn more about our patented AMTD technology
    A smooth gradient wave of pink, red, and blue hues curves across a black background.

    Discover Morphisec’s Ransomware-Free Guarantee

    Learn more
  • Solutions
    USE CASES
    Preemptive Cyber Defense
    Ransomware Prevention
    Efficiency & Cost Savings
    Future Proof Protection
    EDR + MORPHISEC
    Microsoft Defender 
    CrowdStrike
    SentinelOne
    Palo Alto Networks 
    BitDefender
    Sophos
    Trend Micro
    Arctic Wolf
    BY INDUSTRY
    Finance
    Manufacturing
    Healthcare
    Professional Services
    Technology
    Education
    Lean IT Teams
  • Customer Stories
    Customer Stories
    Hear our customers' stories through case studies, reviews, and videos
    TruGreen's cybersecurity "10x stronger" with Morphisec
    Merrick Bank closes security gaps, improves audit scores
    Bupa Latin America fortifies its security posture
    Global hedge fund protects Bloomberg Terminals
    Citizens Medical Center protects patient data
    Radwell turns to Morphisec & Microsoft for unified security
    Yaskawa Motoman takes on advanced threats
    Houston Eye Associates prevents ransomware
    Morphisec protects Fortune 500 manufacturer
    A man wearing glasses and a blazer speaks into a microphone. There is a play button icon and an orange-red gradient overlay on the left side of the image.

    “Morphisec prevents attacks from actually happening, it gives us an early warning sign… and that lets me make informed, intelligent decisions.”

    Richard Rushing, CISO at Motorola
  • Company
    About Us Abstract digital image featuring translucent, curved shapes overlapping in shades of black, green, and blue, forming a spherical, globe-like design against a dark background.
    Careers Four adults, three men and one woman, stand close together outdoors, smiling at the camera. The men wear T-shirts and two have aprons, the woman has glasses and an apron. Greenery in the background.
    Contact Us Abstract image with curved green and teal gradient shapes on a dark background.
    Threat Labs News Events Support
  • Resources
    Blog
    New threat research and expert insights 
every week
    Featured Article

    Morphisec’s Ransomware-Free Guarantee: Setting a New Standard for Anti-Ransomware Protection 

    Resource Center
    Datasheets, white papers, videos, and everything in-between
    Featured Resource

    Achieving Adaptive Cyber Resiliency with Automated Moving Target Defense

    Explore the Platfrom, take the tour.

    Go to platform tour
  • Partners
    Partner Program Overview Four people work at computer desks while two pairs have conversations in adjacent glass-walled booths in a modern office with plants and exposed brick walls.
    Become a Partner A smooth, abstract wave of pink, blue, and purple gradients curves across a dark background.
    Managed Service Providers Value Added Resellers Technology Alliances Partner Portal
Get a demo
Go back

When Malware Hides in Plain Sight: How Morphisec Blocked a Tuoni C2 Attack Before It Became a Breach 

Brad LaPorte
Brad LaPorte
05 Jan 2026
4 min read
Threat Research

Cybercriminals no longer just launch ransomware. They infiltrate quietly, blend in, harvest credentials, and wait (sometimes for months) before striking.   

That’s exactly what Morphisec Threat Labs uncovered in a recent thwarted attack targeting a major U.S. real-estate firm. This was not a spray-and-pray phishing campaign. This was a stealthy, targeted operation using the Tuoni command-and-control (C2) malware framework, enhanced with AI-generated loaders, steganography, and reflective memory loading to bypass detection.   

It never touched the disk.   

It avoided signatures, behavioral analytics, and EDR monitoring.   

And without prevention-first protection it would have lived undetected inside the network.   

hs-cta-img-315432a3-dcbb-40c1-90ff-725bbc3fe496

What Makes This Threat Different? 

The attack used a combination of modern evasion techniques that are becoming increasingly common in advanced intrusions, including:   

  • Steganography: Malicious payloads hidden inside BMP image files, invisible to traditional tools. 
  • AI-Enhanced Loaders: Dynamically generated code to mask execution and evade monitoring. 
  • Memory-Only/Fileless Execution: No files on disk, no signatures, no alerts. 
  • Modular Tuoni C2 Framework: Built to support credential theft, persistence, and ransomware staging at scale. 

 This attack wasn’t just advanced. It was engineered to evade detection entirely.   

What Business Leaders Need to Understand   

This isn’t just a technical threat. It’s a business and operational risk that affects teams, systems, and workflows outside traditional IT. Here’s why:   

Emerging Trend Real-World Impact 
Fileless, in-memory execution Detection tools can’t see what isn’t written to disk 
Credential theft before ransomware Enables long-term access, extortion, and supply chain exploitation 
AI-assisted attack automation Faster attack evolution, wider targeting, lower skill threshold 
Trusted file types and apps abused Teams unknowingly detonate malware during normal workflows 

Key takeaway: Ransomware is no longer the first stage of attack… it’s the last.   

How Morphisec Stopped the Attack — Before It Could Execute   

Morphisec’s prevention-first, anti-ransomware platform blocked this attack at the earliest possible phase, before Tuoni was able to run in memory, steal credentials, establish C2 communication, or deploy ransomware.   

Morphisec prevented:   

  • Reflective loader execution 
  • Credential harvesting and persistence 
  • C2 communications with Pyramid/Tuoni infrastructure 
  • Ransomware staging and lateral movement  

The Result: No alerts, no dwell time, no breach.   

Why Traditional Security Tools Missed It 

Memory-only, steganography-based malware creates a blind spot for traditional solutions. That’s because there is:   

  • No signature to detect 
  • No files to scan 
  • No behavioral footprint 
  • No logs or alerts 

 That’s why this attack was invisible to antivirus, EDR, MDR, and even sandboxing. 

Morphisec takes a different approach, deterministic prevention, and not probabilistic detection.   

What Security Leaders Should Do Now 

Action Why It Matters 
Expand visibility beyond IT Creative teams, engineering, HR, finance, and marketing are now part of the attack surface 
Assume fileless-first Modern attacks live and execute entirely in memory 
Move beyond detection-based tools Attackers are building campaigns designed not to be detected 
Protect credentials at the endpoint Credentials fuel ransomware, extortion, and persistent access 
Validate controls against real threats Don’t assume — test your stack against fileless, C2-driven attacks 

Want to brief your board, executive team, or security leadership on this threat and steps you and your team can take to avoid similar threats in the future?   

We’ve created a 2-page executive summary that breaks down this Tuoni C2 attack in non-technical language that highlights:   

  • How the attack worked 
  • Why it bypassed traditional tools 
  • The business implications 
  • What leaders must do now 

 Download the Executive Summary PDF to use as a reference in your next leadership, risk, or strategy discussion. 

hs-cta-img-315432a3-dcbb-40c1-90ff-725bbc3fe496

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.

Stay up-to-date

Get the latest resources, news, and threat research delivered to your inbox.

Continue reading

Blog

Ransomware Without Encryption: Why Pure Exfiltration Attacks Are Surging—and Why They’re So Hard to Catch 

Blog

The Evolution of Ransomware Entry Points: Why the Perimeter Isn’t the Perimeter Anymore

Blog

The Evolving Economics of Ransomware: Fewer Payments, Bigger Payouts 

© 2026 Morphisec. All rights reserved.

Inquire via Azure

See Morphisec in Action: Proactively Secure Linux Systems Against Ransomware Attacks

Save your spot