A new remote access trojan (RAT) called ResolverRAT is posing a serious threat to businesses around the world. It uses advanced in-memory execution and evasion methods to slip past traditional security tools.
All about Stealthy ResolverRAT
This malware has mainly targeted healthcare and pharmaceutical companies. It hides its activity using encrypted payloads, runtime resource tricks, and secure command-and-control (C2) connections.
According to a report by Morphisec, the latest attack was seen on March 10, 2025, showing that ResolverRAT is actively being used in high-level cyberespionage campaigns.
ResolverRAT attacks usually start with well-crafted phishing emails that are customized for different regions and languages. Hackers use local languages and urgent topics—like legal or copyright issues—to trick users into clicking.
For example, some emails in Hindi mention “जाँच प्रक्रिया में दर्ज किए गए दस्तावेज़” (Documents recorded during the investigation), while others in Italian use subjects like “Documento per confermare la violazione del copyright” (Document to confirm copyright violation). This personalized approach makes the emails seem more believable and increases the chance that users will fall for them.
The malware is delivered through a method called DLL side-loading. It uses a legitimate signed file (hpreader.exe) to load a malicious DLL placed in the same folder.
This method is similar to recent attacks that spread Rhadamanthys and Lumma stealers, suggesting that some hacker groups may be using shared tools or infrastructure.
The repeated use of the same files and phishing tactics hints at a coordinated effort, possibly involving affiliate groups or common attack playbooks.
ResolverRAT: In-Memory Loader and Evasion Tactics
ResolverRAT uses advanced methods to stay hidden and avoid detection. Its loader decrypts the payload in memory using AES-256 encryption, with the keys hidden and decoded only at runtime. The payload is also compressed with GZip and never touches the disk, making it hard for antivirus tools to spot.
To block static analysis, ResolverRAT hides strings as number IDs and only decodes them when needed. It also hijacks .NET’s resource system to load malicious code directly from memory—bypassing normal security checks that monitor file systems or API calls.
It connects to command-and-control (C2) servers using built-in X509 certificates. These are matched during the SSL handshake, creating a private trust system that avoids detection by security tools trying to inspect network traffic.
Evasion and Persistence Features
ResolverRAT uses multiple checks and code tricks to confuse analysts. It hides its logic with fake code, complex math, and fingerprinting methods that detect if it’s being analyzed.
For persistence, it creates over 20 hidden registry entries and copies itself to different folders like AppData and Program Files. All paths and keys are obfuscated to make tracking difficult.
The malware can switch between servers using hidden lists, so even if one server is blocked, it keeps working. It also steals data using Protocol Buffers, splitting large files into smaller pieces for smoother, hidden transfers. Communication is timed randomly to avoid detection by monitoring tools.
A Growing Threat
Because ResolverRAT runs only in memory, uses its own security certificates, and changes behavior based on its environment, it’s very hard to detect using traditional tools.
Morphisec recommends using Automated Moving Target Defense (AMTD), which disrupts attacks before they begin by constantly changing memory layouts and blocking unknown code.
ResolverRAT shows how far malware has come—using encryption, runtime tricks, and stealth to avoid even advanced defenses. To stay protected, organizations must move beyond basic detection and invest in behavior-based tools and proactive threat prevention.
Leave A Comment