Full Report
Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical sectors. "The threat actor leverages fear-based lures delivered via phishing emails, designed to pressure recipients into clicking a malicious link," Morphisec Labs researcher Nadav Lorber said in a report shared with The
Analysis Summary
# Threat Actor: Unattributed Actor Using ResolverRAT (Potential Overlap with Previous Phishing Campaigns)
## Attribution & Identity
* **Identification:** Threat actor utilizing the novel Remote Access Trojan (RAT) known as ResolverRAT.
* **Attribution:** Currently unattributed to a specific group or nation-state. Campaign exhibits overlaps in infrastructure and delivery mechanisms with previous phishing campaigns that utilized Lumma and Rhadamanthys, hinting at a possible shared affiliate model or coordinated activity.
* **Aliases:** None explicitly named beyond the malware used (ResolverRAT).
## Activity Summary
* The actor is actively deploying ResolverRAT in recent attacks observed as recently as March 10, 2025.
* The primary infection vector is **fear-based phishing lures** designed to coerce immediate action.
* Lures are highly localized, crafted in Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian.
* Email themes focus on inducing urgency, specifically referencing **legal investigations or copyright violations**.
* The malware establishes a sophisticated, resilient C2 infrastructure capable of secure, rotating connections.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails leading to the download and execution of a malicious file.
* **Execution:** Utilizes **DLL side-loading** to initiate the execution chain.
* **Defense Evasion:**
* Uses an in-memory loader that decrypts and executes the main payload, meaning the payload often exists purely in memory.
* Payload utilizes **encryption and compression**.
* Implements **certificate-based authentication** to bypass machine root authorities when contacting C2.
* Employs **certificate pinning** and **source code obfuscation**.
* **Persistence:** Implements multiple redundant persistence methods utilizing both the Windows Registry and the file system (installing in different locations as fallback).
* **Command and Control (C2):**
* Features an **IP rotation system** to switch to alternate C2 servers if the primary one fails.
* Uses **irregular beaconing patterns** to evade monitoring.
* Exfiltrates stolen data by breaking files larger than 1 MB into **16 KB chunks** to minimize detection.
* **MITRE ATT&CK IDs:** Not explicitly provided, but techniques align with T1566 (Phishing), T1574 (DLL Side-Loading), T1027 (Obfuscated Files or Information), T1071 (Application Layer Protocol), and T1547 (Boot or Logon Autostart Execution).
## Targeting
* **Sectors:** Healthcare and Pharmaceutical sectors.
* **Geography:** Broad, global targeting indicated by the wide range of custom languages used (India, Italy, Czech Republic, Turkey, Brazil/Portugal, Indonesia).
* **Victims:** Specific organizations were not named in the summary.
## Tools & Infrastructure
* **Malware Families Used:** ResolverRAT (Remote Access Trojan).
* **Shared Infrastructure:** Overlap observed with infrastructure used previously for delivering Lumma and Rhadamanthys information stealers.
* **C2 Communications:** Bespoke, certificate-based, featuring IP rotation and redundancy.
## Implications
The threat actor behind ResolverRAT displays a high degree of technical sophistication, focusing heavily on stealth, resilience, and minimizing detection across multiple stages of the attack lifecycle (from delivery to C2 communication). The localized phishing lures suggest a focused effort to maximize initial infection rates within specific high-value sectors globally. The infrastructure similarities suggest this actor may be part of a larger ecosystem or leveraging shared resources with known information-stealing operations.
## Mitigations
* Implement enhanced email filtering focused on detecting fear-based or urgent legal/copyright lures, especially those exhibiting localization language variations.
* Employ memory-scanning and EDR solutions capable of detecting in-memory process execution and DLL side-loading.
* Monitor network traffic for connections utilizing irregular beaconing patterns or non-standard HTTP/TLS behavior indicative of certificate pinning bypasses.
* Review and restrict the persistence mechanisms created by unknown executables in the Registry and file system.