Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical sectors.
“The threat actor leverages fear-based lures delivered via phishing emails, designed to pressure recipients into clicking a malicious link,” Morphisec Labs researcher Nadav Lorber said in a report shared with The Hacker News. “Once accessed, the link directs the user to download and open a file that triggers the ResolverRAT execution chain.”
The activity, observed as recently as March 10, 2025, shares infrastructure and delivery mechanism overlap with phishing campaigns that have delivered information stealer malware such as Lumma and Rhadamanthys, as documented by Cisco Talos and Check Point last year.
A notable aspect of the campaign is the use of localized phishing lures, with the emails crafted in the languages predominantly spoken in the targeted countries. This includes Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian, indicating the threat actor’s attempts to cast a wide net through region-specific targeting and maximize infection rates.
The textual content in the email messages employs themes related to legal investigations or copyright violations that seek to induce a false sense of urgency and increase the likelihood of user interaction.
The infection chain is characterized by the use of the DLL side-loading technique to initiate the process. The first stage is an in-memory loader that decrypts and executes the main payload while also incorporating a bevy of tricks to fly under the radar. Not only does the ResolverRAT payload use encryption and compression, but it also exists only in memory once it’s decoded.
“The ResolverRAT’s initialization sequence reveals a sophisticated, multi-stage bootstrapping process engineered for stealth and resilience,” Lorber said, adding it “implements multiple redundant persistence methods” by means of Windows Registry and on the file system by installing itself in different locations as a fallback mechanism.
Once launched, the malware utilizes a bespoke certificate-based authentication prior to establishing contact with a command-and-control (C2) server such that it bypasses the machine’s root authorities. It also implements an IP rotation system to connect to an alternate C2 server if the primary C2 server becomes unavailable or gets taken down.
Furthermore, ResolverRAT is fitted with capabilities to sidestep detection efforts through certificate pinning, source code obfuscation, and irregular beaconing patterns to the C2 server.
“This advanced C2 infrastructure demonstrates the advanced capabilities of the threat actor, combining secure communications, fallback mechanisms, and evasion techniques designed to maintain persistent access while evading detection by security monitoring systems,” Morphisec said.
The ultimate goal of the malware is to process commands issued by the C2 server and exfiltrate the responses back, breaking data over 1 MB in size into 16 KB chunks so as to minimize the chances of detection.
The campaign has yet to be attributed to a specific group or country, although the similarities in lure themes and the use of DLL side-loading with previously observed phishing attacks allude to a possible connection.
“The alignment […] indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups,” the company said.
The development comes as CYFIRMA detailed another remote access trojan codenamed Neptune RAT that uses a modular, plugin-based approach to steal information, maintain persistence on the host, demand a $500 ransom, and even overwrite the Master Boot Record (MBR) to disrupt the normal functioning of the Windows system.
It’s being propagated freely via GitHub, Telegram, and YouTube. That said, the GitHub profile associated with the malware, called the MasonGroup (aka FREEMASONRY), is no longer accessible.
“Neptune RAT incorporates advanced anti-analysis techniques and persistence methods to maintain its presence on the victim’s system for extended periods and comes packed with dangerous features,” the company noted in an analysis published last week.
It includes a “crypto clipper, password stealer with capabilities to exfiltrate over 270+ different applications’ credentials, ransomware capabilities, and live desktop monitoring, making it an extremely serious threat.”
