A newly identified remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations around the world. According to researchers, the malware is spread through phishing emails disguised as legal or copyright notices, often translated into the target’s local language to increase credibility. These emails lure recipients into downloading a file named hpreader.exe, which then uses reflective DLL injection to deploy ResolverRAT directly into system memory—bypassing traditional file-based detection.
What sets ResolverRAT apart is its stealthy execution within .NET’s managed memory using a technique that allows it to load and run malicious components without calling typical APIs that endpoint detection systems monitor, making it significantly harder to detect.
Once active, ResolverRAT grants attackers comprehensive control over infected systems. Its capabilities include taking screenshots, capturing keystrokes, executing arbitrary commands, uploading or downloading files, and stealing credentials. These features make it particularly dangerous in environments where sensitive data—such as research, patient information, or proprietary drug development files—is at risk.
ResolverRAT’s attack infrastructure shows some overlap with other known campaigns distributing malware like Lumma and Rhadamanthys, but ResolverRAT’s payload and delivery method mark it as a distinct threat.
Combined with its advanced evasion tactics, ResolverRAT poses a serious threat to critical sectors that handle high-value data.
Source: Bleeping Computer
While the steady discovery of new RATs like ResolverRAT and StilachiRAT may seem routine in the cybersecurity landscape, ResolverRAT stands out for several notable reasons.
Unlike many commodity RATs, ResolverRAT employs a relatively rare evasion technique that leverages a .NET event to load directly into memory, which makes it exceptionally difficult for traditional endpoint detection tools to identify. This kind of advanced stealth feature is more commonly associated with advanced persistent threat (APT) actors than with mass-market crimeware.
Another aspect that differentiates ResolverRAT is its use of highly localized phishing emails. Delivering the malware via lures tailored to the recipient’s native language and cultural context indicates a level of targeting and campaign planning that suggests more than just opportunistic attacks.
Its focus on healthcare and pharmaceutical organizations also adds weight, as they likely store sensitive research data, proprietary drug development information, and patient records—making them highly attractive targets for espionage or financially motivated attacks.
So, while it may be tempting to view ResolverRAT as just another entry in the long list of RATs, its technical sophistication, strategic targeting, and stealthy execution set it apart from average malware variants. It reflects an ongoing trend in which threat actors combine advanced evasion tactics with precision targeting to maximize the impact of their campaigns.
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related the discovery of RATs like ResolverRAT. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
To mitigate the risks posed by RATs like ResolverRAT, Field Effect recommends that organizations implement robust email security measures, train their employees to scrutinize suspicious, unsolicited emails, and monitor network activity for signs of unauthorized remote access.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign.