A newly identified remote access trojan (RAT) dubbed ResolverRAT has emerged as a significant threat to global enterprises, leveraging advanced in-memory execution and multi-layered evasion techniques to bypass traditional security measures.

The attack targeting healthcare and pharmaceutical organizations, this malware family employs runtime resource resolution, encrypted payloads, and certificate-pinned command-and-control (C2) infrastructure to maintain stealth.

Morphisec said in a report shared with Cyber Security News that the most recent attack wave was observed on March 10, 2025, underscoring its active deployment in sophisticated cyberespionage campaigns.

Initial Access via Phishing Campaigns

ResolverRAT infections begin with highly tailored phishing emails designed to exploit region-specific linguistic and cultural contexts. Threat actors craft subject lines and content in the recipient’s native language, often invoking urgency through themes related to legal or copyright violations.

Examples include Hindi-language lures referencing “जाँच प्रक्रिया में दर्ज किए गए दस्तावेज़” (“Documents recorded during the investigation process”) and Italian emails titled “Documento per confermare la violazione del copyright”. This localization strategy enhances credibility, increasing the likelihood of user interaction across diverse geographies, reads Morphisec report.

The payload delivery mechanism employs DLL side-loading via a legitimate signed executable (hpreader.exe), which loads a malicious DLL from the same directory.

This technique mirrors recent campaigns distributing Rhadamanthys and Lumma stealers, suggesting potential infrastructure or tooling overlaps among threat groups.

Reusing identical binaries and phishing themes across campaigns points to a coordinated affiliate model or shared operational playbooks.

In-Memory Loader Architecture and Evasion Techniques

ResolverRAT’s loader uses AES-256 encryption with keys stored as obfuscated integers, decrypted at runtime via the .NET System.Security.Cryptography namespace. The payload remains compressed using GZip and exists solely in memory post-decryption, avoiding disk-based detection1. This approach combines cryptographic security with operational stealth, leaving minimal forensic artifacts.

Static analysis is thwarted through a dynamic string decoding system where strings are stored as numeric IDs. The StringObfuscator.GetString(int stringId) the method resolves these IDs at runtime while a concurrent dictionary caches decoded values for performance.

Additionally, the malware hijacks .NET’s ResourceResolve events to intercept resource requests and load malicious assemblies directly from memory. This technique evades security tools monitoring traditional injection vectors by bypassing Win32 API calls and file system operations.

ResolverRAT establishes resilient C2 channels using pre-embedded X509 certificates that bypass system root authorities.

During SSL/TLS handshakes, a custom validation callback matches server certificates against the malware’s embedded certificate, creating a private trust chain. This renders man-in-the-middle (MITM) inspection ineffective and complicates network traffic analysis.

Advanced Anti-Analysis and Persistence Mechanisms

The malware employs a multi-state execution flow with hundreds of conditional transitions based on environment checks. Control flow flattening obscures the decryption logic, while dead code and arithmetic-based key computations mislead disassemblers. Resource resolution fingerprinting further detects analysis environments by monitoring assembly request patterns.

ResolverRAT implements over 20 registry entries across HKCU paths and installs copies in AppData, Program Files, and startup folders1. Registry keys and file paths are obfuscated via XOR operations, and the malware maintains a fallback hierarchy to ensure persistence even if some methods fail.

The C2 framework features IP rotation through obfuscated TestDistributor and CheckDistributor collections, enabling fallback to secondary servers if connections drop.

Data exfiltration uses Protocol Buffers (ProtoBuf) for efficient serialization and 16KB chunking for large transfers, with error handling to prevent data loss. Timer-based beaconing with random intervals masks communication patterns, evading network anomaly detection.

ResolverRAT’s combination of memory-only execution, certificate pinning, and environment-aware evasion poses challenges for signature-based detection tools.

Morphisec advocates for Automated Moving Target Defense (AMTD), which preemptively disrupts attack chains by randomizing memory layouts and blocking unauthorized code execution. This approach contrasts with reactive solutions that ResolverRAT’s techniques specifically circumvent.

The emergence of ResolverRAT highlights the escalating sophistication of cyber threats leveraging runtime dynamics and cryptographic obfuscation.

As threat actors refine their evasion capabilities, organizations must adopt proactive defense mechanisms capable of neutralizing advanced persistent threats before they establish footholds. Continuous monitoring of phishing trends and investment in behavioral analysis technologies will be critical to mitigating risks posed by such stealthy malware families.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!