Morphisec has uncovered a new malware threat known as ResolverRAT, which employs sophisticated techniques to execute code directly in computer memory. This malware dynamically assesses the system’s functions and resources while it operates, utilizing multiple layers of tactics to elude detection from security software.
Recently identified by Morphisec researchers, ResolverRAT represents a significant threat, predominantly targeting organizations within the healthcare and pharmaceutical industries. The most recent surge of attacks was recorded around March 10, 2025, indicating a focused campaign against these critical sectors.
The moniker ResolverRAT reflects the malware’s advanced capability of dynamically resolving and managing resources throughout its operation, thereby complicating detection efforts by conventional security methodologies. The malware’s distribution involves phishing attacks, with emails designed to invoke a sense of urgency, pressuring recipients to click on malicious links. Upon doing so, the victim unwittingly initiates the ResolverRAT infection process.
These phishing attacks are highly localized; the emails utilize the native language of the targeted country and employ alarming subject lines related to legal threats or copyright issues. This tailored approach suggests a global campaign aimed at maximizing infection rates through personalized outreach.
Infections by ResolverRAT typically commence via DLL side-loading, where a malicious Dynamic Link Library (DLL) is strategically placed alongside a legitimate, signed application, such as ‘hpreader.exe.’ When the legitimate program is executed, it inadvertently loads the malicious DLL, activating the malware.
Notably, the same executable has been linked to a recent campaign distributing the Rhadamanthys malware, suggesting potential collusion or resource sharing among cybercriminal groups. This association raises concerns about coordinated efforts among threat actors utilizing similar techniques, as documented by cybersecurity researchers.
ResolverRAT utilizes an array of evasion tactics, including extensive code obfuscation and a custom communication protocol that disguises its network traffic. It achieves in-memory execution of malicious code and dynamically resolves necessary system functions as it operates, aligning with MITRE ATT&CK tactics such as Initial Access and Execution.
To maintain persistence on infected systems, ResolverRAT creates numerous entries in the Windows Registry and installs copies of itself in various system locations. The malware employs unique certificate validation methods and utilizes a technique known as ‘.NET Resource Resolver Hijacking’ to enhance its stealth capabilities. Its ability to identify analysis environments allows it to alter behavior accordingly, posing significant challenges for detection.
This malware facilitates the theft of sensitive data, such as user credentials and patient information, by segmenting large datasets for efficient transmission. Moreover, ResolverRAT’s remote access capabilities empower attackers to execute commands, upload files, take screenshots, capture keystrokes, and potentially deploy additional malware.
With its combination of in-memory execution, advanced evasion strategies, and resilient command and control infrastructure, ResolverRAT presents a formidable threat to the healthcare and pharmaceutical sectors. This incident underscores the urgent need for organizations to implement proactive cybersecurity measures, utilizing frameworks such as MITRE ATT&CK to better understand and mitigate emerging cyber threats.
