The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

ResolverRAT Targets Healthcare Sector

Apr 28, 2025 1:19:17 PM / by The Hivemind

RESOLVERRATVerticals Targeted: Healthcare, Pharmaceutical
Regions Targeted: Language based targeting of Czech, Hindi, Indonesian, Italian, Portuguese, Turkish
Related Families: Rhadamanthys, Lumma

Executive Summary

ResolverRAT is a sophisticated remote access trojan (RAT) targeting healthcare and pharmaceutical sectors globally. Deployed via localized phishing campaigns, this previously undocumented malware employs advanced in-memory execution and evasion techniques to steal sensitive data.

Key Takeaways

  • ResolverRAT uses fear-based phishing emails in multiple languages, including Czech, Hindi, and Italian, to maximize infection rates.
  • The malware operates entirely in memory, leveraging .NET ResourceResolve event hijacking to evade traditional security monitoring.
  • ResolverRAT utilizes AES-256 encryption in CBC mode with obfuscated keys and GZip compression for payload protection.
  • ResolverRAT employs certificate pinning, IP rotation, and ProtoBuf serialization to maintain persistent, stealthy communication.

What is ResolverRAT?

ResolverRAT is a new remote access trojan (RAT) targeting healthcare and pharmaceutical organizations worldwide. Observed as recently as March 10, 2025, this malware stands out due to its sophisticated in-memory execution and layered evasion techniques, distinguishing it from related threats like Rhadamanthys and Lumma, despite shared phishing infrastructure. Morphisec reported on this activity.

 ResolverRAT’s infection chain begins with phishing emails crafted in local languages such as Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish. These emails employ fear-based lures, often citing legal or copyright violations, to trick users into downloading a legitimate executable, which triggers the malware via DLL side-loading.

 The initial stage involves a loader that decrypts and executes the payload using multiple anti-analysis techniques. Written in .NET, the loader leverages the System.Security.Cryptography namespace to implement AES-256 encryption in CBC mode, with keys and initialization vectors stored as obfuscated integers decoded at runtime. The payload is further compressed using GZip and exists solely in memory, minimizing disk-based detection. ResolverRAT’s use of .NET ResourceResolve event hijacking allows it to intercept legitimate resource requests and inject malicious assemblies without modifying PE headers or invoking suspicious APIs, a technique Morphisec describes as “malware evolution at its finest.” The payload decryption occurs within the RunVisibleHandler() method, employing a complex state machine with control flow flattening to thwart static analysis. This state machine uses non-sequential transitions and system fingerprinting to evade sandboxes and debuggers.

 For persistence, ResolverRAT creates up to 20 obfuscated registry entries across multiple locations and installs itself in various directories. Its command-and-control (C2) infrastructure is equally robust, utilizing a custom protocol over standard ports to blend with legitimate traffic. Certificate pinning and a parallel trust system bypass traditional SSL inspection, while IP rotation ensures connectivity if primary C2 servers are disrupted. Connection attempts occur at random intervals via timer callbacks, and data serialization uses Protocol Buffers (ProtoBuf) for efficiency and obfuscation. ResolverRAT’s multi-threaded architecture processes commands concurrently, with robust error handling to prevent crashes. For data exfiltration, files exceeding 1MB are split into 16KB chunks, transmitted only when sockets are ready, reducing detection risks and enabling recovery from network disruptions.

 While similarities in phishing tactics and binary reuse suggest potential overlap with Rhadamanthys and Lumma campaigns, ResolverRAT’s unique loader and payload architecture justify its classification as a distinct family. PolySwarm analysts consider ResolverRAT to be an emerging threat. 

IOCs

PolySwarm has multiple samples of ResolverRAT.

 

c3028a3c0c9b037b252c046b1b170116e0edecf8554931445c27f0ddb98785c1

80625a787c04188be1992cfa457b11a166e19ff27e5ab499b58e8a7b7d44f2b9

 

You can use the following CLI command to search for all ResolverRAT samples in our portal:

$ polyswarm link list -f ResolverRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Healthcare, RAT, Emerging Threat, ResolverRAT

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More