A newly discovered remote access trojan (RAT), dubbed ResolverRAT, has been observed targeting organizations in the healthcare and pharmaceutical sectors. Discovered by Morphisec Threat Labs, this malware employs advanced evasion techniques, making detection and analysis particularly challenging. The threat actor behind ResolverRAT leverages multilingual phishing campaigns and in-memory execution to bypass traditional security measures.
Technical Overview of ResolverRAT
ResolverRAT is distributed primarily through phishing emails localized in Italian, Hindi, Turkish, and other languages. These emails often pose as legal or copyright violation notices to trick recipients into downloading malicious payloads. The malware is delivered via sideloaded DLLs, such as hpreader.exe, which is a signed but vulnerable executable previously seen in campaigns like Rhadamanthys1, 2, 8.
One of the key characteristics of ResolverRAT is its use of in-memory execution to avoid writing payloads to disk. The payloads are AES-256 encrypted and GZip-compressed, further complicating detection. Additionally, the malware employs numeric string IDs, encrypted resources, and a complex state machine for decryption1, 9.
Evasion and Persistence Techniques
ResolverRAT establishes persistence by creating over 20 registry entries and copying itself into system directories such as Startup and LocalAppData4, 8. Its command-and-control (C2) communication uses custom certificate validation to bypass root authorities, and it employs IP rotation and fragmented data exfiltration (16 KB chunks for files larger than 1 MB) to blend in with normal network traffic2, 7.
The malware is capable of stealing sensitive data, including patient records and credentials, and includes sandbox and virtual machine detection to hinder analysis2, 9. These features suggest that the threat actor behind ResolverRAT is technically advanced, with infrastructure overlaps to previous campaigns like Rhadamanthys and Lumma3, 7.
Mitigation and Detection Strategies
Given the sophistication of ResolverRAT, organizations in the healthcare and pharmaceutical sectors should prioritize user training to recognize phishing attempts. Endpoint protection solutions with behavioral-based detection capabilities can help identify memory anomalies, while network monitoring should focus on auditing unusual registry changes and fragmented data transfers1, 6, 9.
Microsoft’s recent report highlights the vulnerabilities in the healthcare sector, noting that downtime costs can reach approximately $900K per day5. While Mastercard’s study indicates that only 6% of attacks in Spain targeted healthcare between 2021 and 2023, the emergence of ResolverRAT suggests a potential shift in attacker focus6.
Conclusion
ResolverRAT represents a significant threat to healthcare and pharmaceutical organizations due to its advanced evasion techniques and targeted distribution methods. Security teams should remain vigilant, implementing layered defenses to mitigate the risk posed by this malware. Continuous monitoring, user awareness, and behavioral-based detection tools are critical in defending against such threats.
References
- “Nuevo malware ResolverRAT ataca a los sectores sanitario y farmacéutico,” CiberSeguridad Latam, 2025.
- “Alerta Integrada de Seguridad Digital 094-2025,” Peruvian National Cybersecurity Alert, 2025.
- “ResolverRAT: Nuevo malware amenaza al sector salud y farmacéutico,” TecnetOne Blog, 2025.
- “ResolverRAT: Nuevo troyano dirigido al sector sanitario y farmacéutico,” Underc0de Forum, 2025.
- “Informe de ransomware en el sector salud de Microsoft Threat Intelligence,” Microsoft, 2025.
- “El sector sanitario y la industria farmacéutica entre los que menos ciberataques reciben en España,” Mastercard Report, 2024.
- “ResolverRAT Targets Healthcare and Pharma Sectors,” Reddit Thread, 2025.
- “El nuevo malware ResolverRAT ataca a empresas farmacéuticas y sanitarias de todo el mundo,” HFrance Article, 2025.
- “ResolverRAT Malware: Cómo eliminar,” EnigmaSoftware Removal Guide, 2025.
