For years, defenders focused on detecting ransomware binaries before encryption began. But today’s attackers are no longer in a hurry.
Modern ransomware campaigns increasingly start with weeks or months of silent access, where attackers blend into legitimate traffic, operate entirely in memory, and avoid dropping files on disk altogether.
A recent investigation by Morphisec Threat Labs into a disrupted attack against a major U.S. real estate company reveals how far this evolution has gone. The intrusion leveraged Tuoni, a stealth‑focused command‑and‑control (C2) malware framework designed to remain invisible until attackers decide to escalate.
The takeaway is clear: ransomware is now the final act of a much longer, stealth‑driven operation.
This article breaks down:
- How fileless malware like Tuoni works
- Why traditional EDR and detection tools fail
- The role of AI and steganography in modern intrusions
- What security teams must change to defend against this threat class
What Is Fileless Malware?
Fileless malware is a category of attacks that operate entirely in memory, avoiding traditional file system artifacts such as executables, DLLs, or scripts written to disk.
Instead of relying on files, attackers abuse:
- Legitimate system processes
- In‑memory loaders
- Reflective DLL injection
- Living‑off‑the‑land binaries (LOLBins)
Why Fileless Attacks Are So Dangerous
- No files to scan
- Minimal forensic artifacts
- Low noise in system logs
- Extremely long dwell times
These techniques directly undermine signature‑based antivirus, sandboxing, and many forms of behavioral detection.
Inside the Tuoni C2 Campaign
Stealth by Design, Not by Accident
Unlike traditional malware families, Tuoni was built specifically for evasion and persistence.
The campaign analyzed by Morphisec did not rely on phishing attachments or obvious malware droppers. Instead, it used a combination of advanced techniques rarely seen together in a single operation.
Advanced Techniques Used in the Attack
1. In‑Memory Execution Only
Tuoni executed entirely in memory, leaving no payloads on disk. This prevented:
- Antivirus scanning
- Disk forensics
- Static malware analysis
Once loaded, the malware established persistence and C2 communication without triggering endpoint alerts.
2. Steganography‑Based Payload Delivery
The attackers hid malicious payloads inside benign‑looking BMP image files.
To security tools, these files appeared as ordinary images. To Tuoni’s loader, they contained encoded shellcode ready for in‑memory execution.
Why this works:
- Image files are rarely blocked
- Content inspection often ignores large binaries
- Steganography bypasses signature detection entirely
3. AI‑Enhanced Loaders
One of the most concerning aspects of the attack was the use of AI‑generated loaders.
These loaders:
- Modified their structure at runtime
- Dynamically altered execution paths
- Obfuscated memory patterns used by behavioral engines
This allowed the malware to evade even well‑tuned EDR systems, which rely on predictable execution flows and heuristics.
4. Reflective Memory Loading
Tuoni used reflective loading, injecting code directly into memory without calling traditional Windows APIs that trigger security events.
This technique:
- Avoids process creation logs
- Minimizes syscall visibility
- Blends into normal process memory
What Tuoni Could Do Once Inside
After establishing silent access, Tuoni’s modular C2 framework enabled:
- Credential harvesting from memory
- Lateral movement across systems
- Network reconnaissance
- Privilege escalation
- Staged ransomware deployment
Crucially, none of this required writing a single file to disk.
Morphisec noted that the malware was designed to remain dormant, collecting credentials and intelligence until operators were ready to trigger the destructive phase.
This confirms a critical shift in attacker strategy:
Ransomware is no longer the attack — it’s the payload delivered after patience.
Why Detection‑Based Security Failed
The Limits of Traditional EDR
Most enterprise security stacks still rely heavily on:
- File signatures
- Static analysis
- Behavioral correlation
- Sandbox detonation
In this campaign:
- There were no files to analyze
- No static malware artifacts
- No suspicious disk activity
- No detectable execution chain
Even sandbox environments failed because the malware:
- Depended on in‑memory execution
- Generated code dynamically
- Required real environments to operate correctly
How the Attack Was Stopped
Morphisec’s prevention‑first memory defense intercepted the attack before execution, not after detection.
Their memory‑layer protection:
- Blocked the reflective loader
- Prevented credential harvesting
- Disrupted C2 communication to Tuoni infrastructure
- Stopped escalation before ransomware deployment
The result:
- Zero alerts
- Zero dwell time
- Zero breach impact
This highlights a fundamental shift: stopping fileless attacks requires prevention at the memory level, not post‑execution alerts.
Why This Matters to Security Leaders
AI Is Lowering the Barrier for Advanced Attacks
The use of AI to generate loaders and automate obfuscation means:
- Sophisticated malware is no longer rare
- Attack development cycles are shrinking
- Defender lag time is increasing
Fileless Is Becoming the Default
Fileless attacks are now:
- Easier to deploy
- Harder to detect
- More reliable against enterprise defenses
Relying solely on visibility, alerts, and response is no longer sufficient.
Best Practices: Defending Against Fileless & Memory‑Based Attacks
1. Adopt a Fileless‑First Threat Model
Assume attacks will:
- Never touch disk
- Operate inside legitimate processes
- Avoid obvious indicators
2. Secure the Memory Layer
Visibility alone doesn’t stop reflective loading or in‑memory execution. Protection must occur before malicious code runs.
3. Harden Credential Access
- Limit credential exposure in memory
- Rotate high‑value secrets frequently
- Apply strict least‑privilege controls
4. Shift From Detection to Prevention
EDR alerts only help after compromise.
Modern threats require execution‑blocking, not response playbooks.
Mapping to Security Frameworks
- MITRE ATT&CK
- T1055 – Process Injection
- T1027 – Obfuscated/Encrypted Payloads
- T1003 – Credential Dumping
- NIST Cybersecurity Framework
- PR.AC – Access Control
- PR.IP – Protection Processes
- DE.CM – Continuous Monitoring
- Zero Trust Principles
- Assume breach
- Minimize blast radius
- Protect execution, not just access
FAQs
What is Tuoni malware?
Tuoni is a stealth‑focused C2 framework designed for in‑memory execution, credential theft, and staged ransomware deployment.
Why didn’t antivirus or EDR detect it?
The attack was entirely fileless, used reflective loading, and relied on AI‑generated code paths that bypass behavioral detection.
Is ransomware still the main threat?
Ransomware is now the final stage of a much longer intrusion chain, not the initial attack.
How can organizations defend against this?
By adopting memory‑layer prevention, reducing credential exposure, and moving away from detection‑only strategies.
Conclusion: Ransomware Is Just the Last Symptom
The Morphisec investigation makes one thing clear:
Ransomware is no longer loud, fast, or obvious.
It is the quiet outcome of:
- Fileless intrusion
- AI‑assisted evasion
- Long‑term credential harvesting
- Undetected lateral movement
Organizations that continue to rely purely on detection‑based defenses will remain exposed to these stealth‑driven campaigns.
The future of endpoint security isn’t more alerts —
it’s stopping malicious code before it ever executes.
