Morphisec has uncovered a previously undocumented remote access trojan, ResolverRAT, targeting the healthcare and pharmaceutical sectors globally.
The malware uses advanced in-memory execution, dynamic resource resolution, and multi-layered evasion techniques to bypass detection.
Why it matters
ResolverRAT’s sophisticated architecture demonstrates a significant evolution in malware tactics, mainly through .NET-based resource hijacking and runtime API resolution.
It poses a critical threat to sectors handling sensitive data, including healthcare and pharmaceuticals.
ResolverRAT’s operation includes globally localized phishing campaigns, DLL side-loading using signed applications, and reflective in-memory loading.
It utilizes AES-256 encryption, string obfuscation, and custom certificate validation for C2 communication. This reflects an emerging trend where threat actors blend legitimate tools and advanced obfuscation to evade static and behavioural analysis.
Morphisec first identified ResolverRAT during investigations into phishing attacks that began on March 10, 2025.
These campaigns used fear-based email lures in multiple languages—Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian—demonstrating broad geographical targeting and adaptability.
What they’re saying
Researchers at Morphisec describe ResolverRAT as “malware evolution at its finest,” emphasizing its .NET resource hijacking to evade detection.
The firm warned that its unique runtime resource resolution makes static and behavioural analysis significantly more difficult than with other malware.
ResolverRAT’s modular framework and infrastructure reuse suggest potential integration into broader threat actor ecosystems or malware-as-a-service (MaaS) operations.
Security teams are urged to monitor DLL side-loading activity, adopt behaviour-based detection, and implement memory-focused defenses.
The bottom line
ResolverRAT represents a new breed of evasive malware that exploits memory-only execution and runtime obfuscation. Organizations must adopt proactive security measures to counter such advanced threats.
About Author
