Native Language Phishing Spreads ResolverRAT to Healthcare – Source:hackread.com

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory, figuring out necessary system functions and resources as it runs, and employing multiple layers of techniques to avoid detection by security software.

A new and sophisticated piece of malware, dubbed ResolverRAT by Morphisec researchers, has been discovered actively targeting organisations within the healthcare and pharmaceutical sectors, with the most recent wave of attacks occurring around March 10, 2025.

Morphisec’s Threat Labs researchers dubbed it Resolver because of the malware’s high reliance on figuring things out and handling resources dynamically while running, making it much harder for traditional methods to detect it.

According to researchers, ResolverRAT is distributed via phishing emails designed to create a sense of urgency or fear, pressuring recipients to click on a malicious link. Once clicked, the link leads to a file that starts the ResolverRAT infection process.

This is a highly localised phishing attack as the emails are written in the native language of the targeted country and consistently use alarming subjects, such as legal investigations or copyright violations. This multi-language approach suggests a global operation aimed at maximising successful infections through personalised targeting.

ResolverRAT infections begin with DLL side-loading, a technique that involves placing a malicious DLL file alongside a legitimate, signed program, identified as ‘hpreader.exe‘ in this case. When ‘hpreader.exe’ is executed, it unknowingly loads the malicious DLL, triggering the malware’s execution.

Interestingly, the same executable was identified by CPR in a recent campaign distributing the Rhadamanthys malware, and Cisco Talos documented similar phishing techniques used to deliver Lumma information-stealing malware. This could suggest that the groups are reusing tools, sharing resources, or part of a coordinated effort or shared network of cybercriminal affiliates.

ResolverRAT employs multiple layers of evasion to avoid detection, including extensive code obfuscation and a custom protocol over standard ports to blend network traffic. It executes malicious code directly in the computer’s memory (in-memory execution) and dynamically identifies and uses necessary system functions as it runs (API resolution).

To stay on an infected system even after a reboot, ResolverRAT creates up to 20 entries in the Windows Registry, spread across various locations, and installs copies of itself in various locations.

Moreover, the malware uses a unique method of certificate validation and ‘.NET Resource Resolver Hijacking’ technique is a key element of its stealth. Additionally, it attempts to fingerprint analysis environments and can alter its behaviour when it detects it’s being examined.

It allows attackers to steal sensitive information like credentials and patient data, breaking large datasets into smaller chunks for easier transmission. ResolverRAT also has remote access capabilities, allowing attackers to execute commands, upload files, take screenshots, capture keystrokes, and potentially deploy further malware.

This sophisticated blend of in-memory execution, advanced evasion techniques, and resilient C2 infrastructure poses a substantial threat to sensitive sectors like healthcare and pharmaceuticals, highlighting the need for organisations to adopt proactive defence strategies to effectively counter these threats.