A new sophisticated remote access trojan (RAT) has emerged as a significant threat to healthcare and pharmaceutical organizations worldwide.
Dubbed ResolverRAT, this previously undocumented malware deploys advanced in-memory execution techniques and layered evasion methods to steal sensitive data while remaining virtually undetectable to traditional security solutions.
First observed on March 10, 2025, ResolverRAT represents an evolution in malware design, with its ability to operate entirely in memory leaving minimal forensic traces.
.png
)
The attack vectors primarily consist of highly localized phishing campaigns tailored to specific regions.
These campaigns deliver emails crafted in multiple languages including Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, maximizing potential infection rates across global healthcare institutions.
The phishing lures typically employ fear-based tactics, often claiming legal consequences or copyright violations, compelling recipients to download what appears to be legitimate executable files.
PolySwarm analysts identified the malware’s distinctive approach to evading detection, noting that despite sharing some infrastructure with known threats like Rhadamanthys and Lumma, ResolverRAT’s unique loader and payload architecture justify its classification as a distinct malware family.
Researchers emphasized the threat’s sophisticated design, describing it as “malware evolution at its finest” due to its novel evasion techniques.
The malware employs multiple layers of obfuscation and encryption to protect its payload and communications.
Utilizing AES-256 encryption in CBC mode with dynamically generated keys and initialization vectors, ResolverRAT ensures its malicious code remains hidden from security tools.
Further protection comes from GZip compression and a memory-only execution model that minimizes disk-based artifacts typically targeted by antivirus solutions.
Infection Mechanism Deep Dive
ResolverRAT’s infection chain represents a masterclass in evasive malware design. After the initial phishing email convinces a user to download a seemingly legitimate application, the malware leverages DLL side-loading to inject its malicious code into trusted processes.
The loader then initiates a complex decryption routine within the RunVisibleHandler() method, employing a state machine with control flow flattening to thwart static analysis.
What makes ResolverRAT particularly insidious is its exploitation of the .NET ResourceResolve event.
This technique allows the malware to intercept legitimate resource requests and inject malicious assemblies without modifying PE headers or calling suspicious APIs.
The payload decryption process uses obfuscated integers that are decoded at runtime, making static detection nearly impossible. Consider the simplified representation of this process:-
// ResolverRAT's obfuscated key decoding mechanism
private byte[] DecodeKey(int[] encodedIntegers)
{
byte[] result = new byte[encodedIntegers.Length * 4];
for (int i = 0; i < encodedIntegers.Length; i++)
{
int value = encodedIntegers[i] ^ 0x8A7F6D2E; // XOR with constant
BitConverter.GetBytes(value).CopyTo(result, i * 4);
}
return result;
}The infection establishes persistence by creating up to 20 obfuscated registry entries spread across multiple locations, ensuring survivability even if some entries are discovered and removed.
The command-and-control infrastructure employs certificate pinning and a parallel trust system to bypass SSL inspection, while IP rotation maintains connectivity if primary servers are disrupted.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
