New Malware ResolverRAT Targets Healthcare and Pharma Sectors
A new remote access Trojan (RAT), dubbed “ResolverRAT,” has been observed targeting organizations in the healthcare and pharmaceutical sectors.
Discovered by Morphisec Threat Labs, the malware combines advanced in-memory execution with layered evasion techniques, making detection and analysis particularly challenging.
Unlike previously known malware families such as Rhadamanthys or Lumma, ResolverRAT introduces a unique loader and payload architecture. Despite reusing some binaries and phishing infrastructure seen in earlier campaigns, its internal components and deployment methods appear to be original.
The Trojan uses social engineering tactics to gain initial access. In attacks observed so far, employees across multiple countries received phishing emails crafted in local languages, themed around copyright violations or legal inquiries.
According to Morphisec, this localization suggests a globally coordinated operation aimed at maximizing infection rates through cultural tailoring.
Technical Architecture and Evasion Tactics
ResolverRAT is delivered through DLL side-loading, exploiting signed but vulnerable executables such as hpreader.exe (previously used as a loader for Rhadamanthys).
Once loaded, the malware executes a memory-resident payload protected by AES-256 encryption and compressed using GZip.
The payload is further obscured by:
- String obfuscation using numeric IDs and encrypted embedded resources
- A complex decryption state machine with hundreds of transitions
- Reflective DLL loading to avoid detection
The malware also registers a custom .NET handler to hijack resource resolution, bypassing traditional monitoring and making the malware more challenging to detect with standard tools.
Persistent and Secure Command Infrastructure
ResolverRAT maintains access using multiple persistence methods, including registry changes and file placement across user directories. It implements a fallback system that retries alternate methods if one fails.
Its command-and-control (C2) communications are secured with a custom certificate validation process that bypasses standard root authorities. Obfuscated IP rotation and custom protocols running on standard ports allow it to blend into regular network traffic.
Data exfiltration is managed via chunked transfers, minimizing detection risk. The malware uses multi-threaded command processing with resilient error handling to avoid crashes or interruptions.
Researchers note that the sophistication of ResolverRAT points to a threat actor operating at a high technical level.
“This resource resolver hijacking represents malware evolution at its finest,” Morphisec said.
“Utilizing an overlooked .NET mechanism to operate entirely within managed memory, it circumvents traditional security monitoring focused on Win32 API and file system operations.”
To protect against threats like this, security experts recommend user awareness training around phishing, deploying behavior-based endpoint protection and regularly auditing systems for unusual memory activity and unauthorized persistence mechanisms.