A previously undocumented remote access trojan (RAT) known as ResolverRAT is being deployed in targeted attacks on healthcare and pharmaceutical organisations across multiple regions. Identified by researchers at Morphisec, the malware is delivered through phishing emails and uses in-memory execution, making it difficult to detect through traditional endpoint protection methods.
ResolverRAT is distributed via region-specific phishing emails written in local languages. These messages commonly reference legal or copyright violations to prompt recipients into clicking a malicious link, which leads to the download of a legitimate executable file, hpreader.exe. This file is exploited using reflective DLL loading, a technique that allows the trojan to execute directly in memory.
According to Morphisec, the malware has been detected in phishing emails sent in languages including Czech, Italian, Turkish, Hindi, Portuguese, and Indonesian, indicating a global scope of operations.
ResolverRAT malware leverages DLL hijacking and .NET abuse
The campaign utilises DLL side-loading to initiate infection. A trusted executable vulnerable to DLL hijacking is placed alongside a malicious DLL. When the legitimate application runs, it loads the malicious component and triggers the malware’s execution chain. ResolverRAT also abuses the .NET ‘ResourceResolve’ event to load malicious assemblies without invoking flagged API calls.
Morphisec highlighted that the malware operates entirely in memory and features multiple anti-analysis techniques, including a complex state machine that obfuscates control flow and fingerprints system requests to avoid detection by sandboxes or debugging tools.
“This resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations,” wrote Morphisec’s Nadav Lorber in a blog.
The malware establishes persistence by writing XOR-obfuscated keys to up to 20 registry locations and copying itself into directories such as ‘Startup’ and ‘LocalAppData’. It connects to its command-and-control server at irregular intervals to avoid detection by systems monitoring beaconing patterns.
ResolverRAT handles commands using individual threads, enabling concurrent task execution and reducing the risk of failure-induced crashes. It supports data exfiltration through a chunked transfer mechanism, where files larger than 1MB are split into 16KB segments. Each segment is transmitted only when the socket is ready, reducing the chance of detection and supporting transfer recovery in unstable network environments.
The malware employs AES-256 encryption in CBC mode using the .NET System.Security.Cryptography library. Keys and IVs are stored as obfuscated integers, decoded during execution. The encrypted payload is also compressed using GZip and runs only in memory, further evading detection.
Morphisec reported similarities in phishing infrastructure and tactics with earlier Rhadamanthys and Lumma campaigns, but noted the distinct architecture of ResolverRAT’s loader and payload warranted its classification as a separate malware family.
Read more: New remote access trojan ‘StilachiRAT’ identified
