Introduction
ResolverRAT is a sophisticated remote access Trojan (RAT) that poses a significant threat to organizations in the healthcare and pharmaceutical sectors. It is primarily distributed through phishing campaigns and has been identified in targeted attacks worldwide. This malware exemplifies the growing complexity and global reach of cyber threats, particularly against high-risk industries.
Description
ResolverRAT specifically targets organizations in the healthcare and pharmaceutical sectors through phishing campaigns. Recently identified in targeted attacks [2], it was discovered by Morphisec Threat Labs and infiltrates systems using localized phishing emails crafted in various languages, including Italian [5], Czech [3] [5] [6], Hindi [3] [5] [6], Turkish [3] [5] [6], Portuguese [3] [5] [6], and Indonesian [3] [5] [6]. These emails employ fear-based tactics [2], often pressuring recipients with themes of legal investigations and copyright violations, enticing victims to click on malicious links that initiate the execution chain of ResolverRAT.
The infection process involves DLL side-loading [2] [6], where an in-memory loader decrypts and executes the main payload [2] [6], which is protected by AES-256 encryption and compressed with GZip [1]. This payload is designed to evade detection through advanced techniques such as in-memory execution, API and resource resolution at runtime [4], and a complex decryption state machine [1]. The malware’s use of string obfuscation and layered evasion strategies further enhances its ability to bypass security measures. Additionally, the loader incorporates anti-analysis techniques to ensure successful execution.
ResolverRAT’s distribution strategy highlights the extensive global reach of the cybercriminals behind it, indicating a strategically coordinated operation aimed at a diverse array of organizations worldwide [3]. The use of social engineering tactics emphasizes its targeted approach, leading to a notable increase in attacks against healthcare entities across multiple countries [4].
Upon execution [3], ResolverRAT employs reflective DLL loading to inject itself into the system’s memory [3], running a memory-resident payload [1]. It maintains access using various persistence methods [1], including the creation of up to 20 registry entries with obfuscated names and file paths, as well as registry changes and file placements, ensuring resilience against removal [6]. The malware features a fallback system for command-and-control (C2) communications [1], secured with a custom certificate validation process that bypasses standard root authorities [1]. It also employs obfuscated IP rotation and a custom communication protocol to blend into regular network traffic, managing data exfiltration through chunked transfers and scheduling connections at random intervals.
The emergence of ResolverRAT [2], alongside other advanced threats [2], underscores a troubling trend in cybersecurity [2], particularly for high-risk sectors such as healthcare and pharmaceuticals [2]. Its sophisticated design indicates a high level of technical expertise among its operators [1], utilizing a resource resolver hijacking technique that operates entirely within managed memory [1], circumventing traditional security monitoring [1].
Conclusion
The rise of ResolverRAT highlights the increasing sophistication of cyber threats targeting critical sectors like healthcare and pharmaceuticals. Its advanced techniques and global distribution underscore the need for heightened cybersecurity measures. To mitigate such threats [1], security experts recommend user awareness training [1], behavior-based endpoint protection [1], robust email security [2], regular system audits [1], multi-factor authentication [2], and comprehensive incident response plans [2]. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their defense strategies to protect sensitive data and maintain operational integrity.
References
[1] https://www.infosecurity-magazine.com/news/malware-resolverrat-targets/
[2] https://hoploninfosec.com/resolverrat-protect-healthcare-from-it/
[3] https://undercodenews.com/resolverrat-a-new-remote-access-trojan-targeting-healthcare-and-pharmaceutical-sectors/
[4] https://thecyberwire.com/newsletters/daily-briefing/14/70
[5] https://ciso2ciso.com/new-resolverrat-targeting-healthcare-pharmaceutical-organizations-source-www-securityweek-com/
[6] https://www.ihash.eu/2025/04/resolverrat-campaign-targets-healthcare-pharma-via-phishing-and-dll-side-loading/
