ResolverRAT: The New Threat Targeting Healthcare and Pharmaceutical Organizations

ResolverRAT is a new remote access trojan (RAT) being used against organizations globally, with recent attacks specifically targeting the healthcare and pharmaceutical sectors. Discovered by Morphisec researchers, this malware has been named ‘Resolver’ due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult.

The malware is distributed through phishing emails claiming to be legal or copyright violations tailored to languages that match the target’s country. These emails contain a link to download a legitimate executable (‘hpreader.exe’), which is leveraged to inject ResolverRAT into memory using reflective DLL loading.

 Technical Capabilities

ResolverRAT is remarkably sophisticated, featuring:

1. A multi-stage process designed to evade detection – The first stage is a loader that decrypts and executes the payload, employing anti-analysis techniques. The payload is AES-256 encrypted and compressed, with the keys stored as obfuscated integers.
2. In-memory execution – the malicious code runs entirely in memory after decryption to prevent static analysis.
3. Persistence mechanisms – the malware creates up to 20 registry entries in multiple locations and obfuscates registry key names and file paths, while also installing itself in multiple locations.
4. Stealthy operations – ResolverRAT uses a complex state machine to obfuscate control flow and make static analysis extremely difficult, detecting sandbox and analysis tools by fingerprinting resource requests. It executes even in the presence of debugging tools by using misleading and redundant code/operations designed to complicate analysis.
5. String obfuscation – to prevent detection and hijacking of .NET resource resolvers to inject malicious assemblies without triggering security tools.
6. Advanced communications – it attempts to connect at scheduled callbacks at random intervals to evade detection based on irregular beaconing patterns. Every command sent by the operators is handled in a dedicated thread, enabling parallel task execution while ensuring failed commands don’t crash the malware.
7. Sophisticated data exfiltration – files larger than 1MB are split into 16KB chunks, which helps evade detection by blending the malicious traffic with normal patterns. Before sending each chunk, ResolverRAT checks if the socket is ready to write, preventing errors from congested or unstable networks. The mechanism features optimal error handling and data recovery, resuming transfers from the last successful chunk.

(Registry-Based Persistence – Source: Morphisec)

 Who is Being Targeted?

Organizations in the healthcare and pharmaceutical sectors have been the primary targets of ResolverRAT, according to Morphisec. The malware has been observed in attacks as recently as March 10, 2025.

Researchers have observed phishing attacks in multiple languages, including Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian, indicating a global operational scope that could expand to include more countries.

The threat actor has been targeting users in multiple countries with emails in the recipients’ native languages, often referencing legal investigations or copyright violations to create a sense of urgency.

 Who is Behind the Attacks?

While ResolverRAT shares traits with Rhadamanthys and Lumma RAT campaigns, researchers have labeled it as a new malware family, likely linked to shared threat actor infrastructure.

Morphisec discovered this previously undocumented malware and noted that the same phishing infrastructure was documented in recent reports by Check Point and Cisco Talos. Those reports highlighted the distribution of Rhadamanthys and Lumma stealers, failing to capture the distinct ResolverRAT payload.

The campaign has yet to be attributed to a specific group or country, although the similarities in lure themes and the use of DLL side-loading with previously observed phishing attacks suggest a possible connection to existing threat actors. The alignment in techniques indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups.

(Breaking Larger Files Into Chunks – Source: Morphisec)

 Mitigations and Protection

To protect your organization from ResolverRAT and similar threats:

1. Implement robust email security: Since ResolverRAT spreads via phishing emails, enhancing email security measures is crucial.
2. User education: Train employees to recognize phishing attempts, particularly those that use legal or copyright violation claims as lures.
3. Deploy advanced endpoint protection: Solutions that can detect in-memory execution and unusual DLL loading behaviors.
4. Monitor for suspicious registry modifications: Since ResolverRAT uses registry entries for persistence, monitor for unexpected registry changes.
5. Implement network monitoring: Watch for irregular connection patterns and data exfiltration attempts, especially chunked data transfers.
6. Keep systems updated: Ensure all software and security tools are regularly updated to protect against known vulnerabilities.

How CinchOps Can Secure Your Business

CinchOps offers comprehensive security solutions that can protect your organization from sophisticated threats like ResolverRAT:

• Advanced Email Filtering: Blocks sophisticated phishing attempts and malicious attachments before they reach your inbox.
• Endpoint Detection and Response: Continuously monitors your devices to identify and neutralize threats like ResolverRAT that execute in memory.
• Network Traffic Analysis: Detects suspicious communication patterns and data exfiltration attempts using AI-powered behavior analysis.
• Security Awareness Training: Empowers your employees to recognize and report phishing attempts through engaging, practical training sessions.
• 24/7 Security Monitoring: Provides round-the-clock surveillance of your systems by certified security experts who respond immediately to incidents.
• Threat Intelligence Integration: Incorporates the latest threat data to proactively defend against emerging attack techniques and vulnerabilities.

With ResolverRAT and similar advanced threats targeting healthcare and pharmaceutical organizations, having a strong security partner is more important than ever. Contact CinchOps today to learn how we can help secure your organization against these evolving threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The Growing Cybersecurity Crisis in Healthcare: 2025 Report Analysis
For Additional Information on this topic, check out: New Malware Variant Identified: ResolverRAT Enters the Maze

FREE CYBERSECURITY ASSESSMENT