A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare and pharmaceutical organizations worldwide.
First observed as recently as March 10, 2025, this malware distinguishes itself from related threats like Rhadamanthys and Lumma through its sophisticated in-memory execution and multi-layered evasion techniques.
Morphisec, a leading cybersecurity firm, has detailed the malware’s operations, while PolySwarm analysts classify ResolverRAT as an emerging threat with unique capabilities.
Deployed through localized phishing campaigns, the malware leverages fear-based lures in languages such as Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, often citing legal or copyright violations to trick users into downloading a seemingly legitimate executable that initiates the infection via DLL side-loading.
Technical Sophistication and Stealthy Operations
ResolverRAT’s infection chain begins with a .NET-based loader that employs advanced anti-analysis methods, utilizing the System.Security.Cryptography namespace for AES-256 encryption in CBC mode with obfuscated keys decoded at runtime.
The payload, compressed using GZip, operates entirely in memory to minimize disk footprints and evade traditional security monitoring.
A standout feature is its use of .NET ResourceResolve event hijacking, which intercepts legitimate resource requests to inject malicious assemblies without altering PE headers or triggering suspicious API calls-a technique Morphisec describes as “malware evolution at its finest.”
Further complicating detection, the payload decryption within the RunVisibleHandler() method uses a complex state machine with control flow flattening and system fingerprinting to thwart static analysis and sandbox environments.
For persistence, ResolverRAT scatters up to 20 obfuscated registry entries across multiple locations and installs itself in various directories, ensuring it remains embedded in compromised systems.
According to the Report, the malware’s command-and-control (C2) infrastructure is equally robust, utilizing a custom protocol over standard ports to blend with legitimate traffic.
Certificate pinning and a parallel trust system bypass SSL inspection, while IP rotation maintains connectivity even if primary servers are disrupted.
Data serialization via Protocol Buffers (ProtoBuf) enhances efficiency and obfuscation, and random-interval connection attempts via timer callbacks add to its stealth.
ResolverRAT’s multi-threaded architecture processes commands concurrently with error handling to prevent crashes, and for data exfiltration, it splits files exceeding 1MB into 16KB chunks, transmitting them only when sockets are ready to minimize detection and recover from network interruptions.
While it shares phishing tactics and binary reuse with Rhadamanthys and Lumma, its distinct loader and payload architecture cement its status as a standalone threat family.
Organizations in the healthcare and pharmaceutical sectors are urged to bolster defenses against phishing campaigns and deploy advanced endpoint detection to counter this evolving threat.
Indicators of Compromise (IOCs)
The following table lists known ResolverRAT samples identified by PolySwarm for reference and threat hunting purposes:
| SHA256 Hash |
|---|
| c3028a3c0c9b037b252c046b1b170116e0edecf8554931445c27f0ddb98785c1 |
| 80625a787c04188be1992cfa457b11a166e19ff27e5ab499b58e8a7b7d44f2b9 |