Analysis Summary

ResolverRAT is a newly identified and highly sophisticated Remote Access Trojan (RAT) targeting global enterprises, with a specific focus on the healthcare and pharmaceutical sectors. First observed in an active campaign on March 10, 2025

According to the Researcher, this malware leverages advanced in-memory execution and evasion techniques to remain undetected. Initial access is gained through region-specific phishing emails that use native languages and culturally relevant themes to increase credibility—examples include Hindi emails referencing legal investigations and Italian messages about copyright violations. The malware’s delivery leverages DLL side-loading via a legitimate executable (hpreader.exe), a method also seen in campaigns distributing Rhadamanthys and Lumma stealers, suggesting potential infrastructure sharing among threat actors or an affiliate-based model.

ResolverRAT’s loader architecture focuses on operational stealth by using AES-256 encryption with obfuscated keys decrypted at runtime through the .NET System.Security.Cryptography namespace. Payloads are compressed with GZip and reside only in memory, bypassing disk-based detection entirely. The RAT employs dynamic string decoding, where strings are stored as numeric IDs and resolved during execution to hinder static analysis. Furthermore, it hijacks the .NET ResourceResolve event to inject malicious assemblies directly from memory, bypassing traditional detection vectors that rely on file system and Win32 API monitoring. This in-memory-only strategy significantly reduces forensic footprints and complicates reverse engineering efforts.

To maintain resilient command-and-control (C2) communication, ResolverRAT embeds X.509 certificates within its binary, creating a private trust chain that bypasses the system's root certificate authorities. This certificate pinning technique renders traditional man-in-the-middle (MITM) inspection and network-based detections ineffective. The C2 infrastructure also uses obfuscated fallback mechanisms and IP rotation through custom collections (TestDistributor and CheckDistributor) to ensure persistence. For data exfiltration, the malware uses Google’s Protocol Buffers (ProtoBuf) to serialize stolen data, sending it in 16KB chunks with robust error handling and randomized beaconing intervals to avoid triggering anomaly detection systems.

ResolverRAT also incorporates extensive anti-analysis features, such as control flow flattening, dead code, and arithmetic-based decryption key generation, to thwart disassemblers. It checks for analysis environments using resource resolution fingerprinting and establishes persistence by creating over 20 obfuscated registry entries and placing multiple copies in key directories like AppData and Program Files. Its advanced architecture underscores the shift toward malware designed to evade signature-based solutions. As such, the Researcher recommends proactive defenses like Automated Moving Target Defense (AMTD), which dynamically randomizes system memory and blocks unauthorized executions, rather than relying on reactive detection. ResolverRAT’s emergence marks a new level of complexity in malware operations, making adaptive and behavior-focused security strategies essential for modern enterprises.

Impact

• Sensitive Data Theft
• Security Bypass
• Gain Access
• Financial Loss

Indicators of Compromise

SHA1

• 3038118708137515b7faa00c99bf3bac827a9da0

• 45ba4041049ab87c3fbe74149f977a58d55d8d55

• bb87b6c476ff456aa5049d45bae43912775778a7

• 0a8e8a47c6e2d1ac219ce71d1bbe3a75231350c7

• eb0db6648911c3dd234c8b323f749dc94b5d1e26

• 2c18ff18cef6218f431b08eea4a44bdf0228b0ea

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Deploy Endpoint Detection and Response (EDR) and Next-Gen Antivirus (NGAV) solutions that focus on behavior and runtime analysis rather than just signatures.
• Use AMTD technologies to randomize memory layout and prevent unauthorized code execution, which helps block memory-only malware like ResolverRAT.
• Use advanced email filters and sandboxing for attachments and links. Regularly train staff on recognizing phishing emails, especially those in native languages or referencing legal/copyright topics.
• Set up deep packet inspection (DPI) and network anomaly detection systems to identify irregular data exfiltration patterns, beaconing, and encrypted traffic from non-standard ports.
• Conduct proactive threat hunts for indicators like DLL side-loading, .NET ResourceResolve hijacking, or registry keys and AppData anomalies.
• Disable unnecessary scripting and PowerShell execution. Block unsigned or suspicious DLLs and restrict the use of legitimate executables for loading DLLs (hpreader.exe abuse).
• Use allow-listing solutions to restrict which applications and executables can run, preventing unauthorized binaries from launching malicious DLLs.
• Detect anomalies related to SSL/TLS certificate validation to identify malware using custom embedded certificates and bypassing root trust chains.
• Continuously monitor for abnormal or newly created registry entries under HKCU, especially with obfuscated values or XOR-encoded data.
• Ensure all systems, especially Microsoft .NET frameworks and legitimate third-party applications (like HP software), are fully updated to prevent exploitation.