A newly uncovered malware threat called ResolverRAT is making waves across the cybersecurity world. Its targets? Organizations in the healthcare and pharmaceutical sectors—industries that already deal with high-stakes data and life-critical systems. Cybersecurity researchers at Morphisec recently raised the alarm after observing active campaigns involving this malware as recently as March 10.
ResolverRAT doesn’t behave like your average remote access trojan. It’s a stealthy, memory-resident malware designed with advanced evasion tactics, dynamic payloads, and military-grade encryption. It hides in plain sight, staying undetected by loading directly into memory and avoiding traditional file-based detection.
While it shares some techniques and phishing themes with earlier threats like Rhadamanthys and Lumma RAT, Morphisec has flagged ResolverRAT as a distinct new malware strain. Researchers believe it may be tied to the same threat actor ecosystem—likely a shared affiliate model or coordinated cybercrime syndicate, judging by similarities in phishing lures and infrastructure reuse.
The attack begins with a phishing email—and not just any generic one. These messages are fine-tuned for the recipient’s region and language, including Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish. Common themes include fake legal threats or copyright warnings, designed to pressure recipients into clicking.
Once the victim clicks a malicious link, the infection process begins. ResolverRAT uses DLL search order hijacking, exploiting a vulnerable executable to load a rogue DLL. A stealthy loader is then activated, using multiple anti-analysis tricks to decrypt and launch the real payload without leaving obvious traces.
The decrypted payload, protected with AES-256 encryption, lives only in memory. The encryption keys are obscured to make detection even harder. To stay put on the system, ResolverRAT hides itself using obfuscated file paths and creates up to 20 registry entries across various system locations.
ResolverRAT also goes to great lengths to shield its command-and-control (C&C) communications. It builds a private certificate validation chain, bypassing traditional trust mechanisms. If a C&C server goes down, the malware automatically rotates through fallback IPs using a smart IP rotation system.
Interestingly, ResolverRAT blends in with normal network traffic by using standard ports and a custom comamunication protocol. Its communications are randomized, and data is broken into smaller chunks, further avoiding detection. It uses ProtoBuf for efficient data serialization.
Behind the scenes, ResolverRAT runs on a multi-threaded engine that processes commands quickly and reliably. Its architecture is built for resilience, with robust error handling to avoid crashes and ensure a stable connection to its operators.
Each infected machine is tagged with unique authentication tokens, allowing attackers to track victims and manage large-scale campaigns with precision. This level of organization suggests a well-resourced, professional threat actor likely coordinating across borders.
With ResolverRAT now active in the wild, particularly targeting healthcare and pharmaceutical firms, organizations in these sectors need to stay alert. The malware’s in-memory design and encrypted communications make it especially difficult to detect using traditional tools. For now, proactive defense, continuous monitoring, and user awareness training are key to staying ahead of this emerging threat.
