In recent cybersecurity news, a new remote access trojan known as ResolverRAT has been uncovered by researchers, with a particular focus on targeting the healthcare and pharmaceutical industries. This sophisticated malware employs fear-based tactics through phishing emails to trick recipients into clicking on malicious links, ultimately leading to the installation and execution of ResolverRAT.
The campaign employing ResolverRAT was active as of March 10, 2025, and shares similarities with previous phishing attacks that distributed information stealer malware like Lumma and Rhadamanthys. What sets ResolverRAT apart is its use of localized phishing lures in languages specific to the targeted regions, such as Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. These emails often contain content related to legal investigations or copyright violations to create a sense of urgency and encourage user interaction.
The malware’s infection chain utilizes the DLL side-loading technique to initiate its process, with the main payload being decrypted and executed using an in-memory loader. This loader employs encryption, compression, and memory residency to avoid detection. Furthermore, ResolverRAT implements multiple persistence methods, including Windows Registry modifications and file system installation, to ensure it remains active on the infected system.
Upon execution, ResolverRAT employs certificate-based authentication to connect with a command-and-control server, enabling the threat actor to issue commands and exfiltrate data back to the server. To evade detection, the malware uses certificate pinning, source code obfuscation, and irregular communication patterns with the C2 server. Additionally, ResolverRAT incorporates an IP rotation system to switch to alternate C2 servers in case of disruptions.
The campaign linked to ResolverRAT has not been attributed to a specific group or country, but the similarities in tactics and techniques hint at a possible connection to known threat actors. The use of the DLL side-loading technique aligns with previous observations in phishing attacks, suggesting a shared infrastructure or operational playbook among these groups.
In a related development, CYFIRMA detailed another remote access trojan called Neptune RAT, which utilizes a modular, plugin-based approach for information theft, ransom demands, and system disruption. Neptune RAT incorporates anti-analysis techniques and persistence methods to evade detection and maintain access to infected systems. This malware is distributed through platforms like GitHub and Telegram, with features including password stealing, ransomware capabilities, and live desktop monitoring.
As cybersecurity threats continue to evolve, organizations must remain vigilant against sophisticated malware like ResolverRAT and Neptune RAT. By staying informed about the latest trends in cyber threats and implementing robust security measures, businesses can mitigate the risks posed by these remote access trojans and protect their sensitive data from unauthorized access.