ResolverRAT Malware

Cybersecurity experts have recently uncovered a sophisticated remote access trojan (RAT) known as ResolverRAT, which has been actively used in cyberattacks against healthcare and pharmaceutical organizations.

You might be interested in: New Security Risk Found in NVIDIA Container Toolkit Patch

Phishing Tactics and Infection Method

According to a report by Morphisec Labs researcher Nadav Lorber, attackers are using phishing emails designed to scare victims into clicking on a malicious link. These emails often mention legal issues or copyright problems to pressure recipients into acting quickly. If the victim clicks the link, they’re directed to download a file that quietly starts the ResolverRAT infection process.

This wave of attacks was still active as of March 10, 2025, and shares infrastructure with phishing campaigns that previously spread info-stealing malware like Lumma and Rhadamanthys, as highlighted by Cisco Talos and Check Point last year.

Localized Scams and Region-Based Targeting

One notable detail is how the phishing emails are written in local languages depending on the country being targeted. This includes languages like Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian, showing that the attackers are going after a global audience and tailoring their scams to increase success rates.

How ResolverRAT Stays Hidden

The infection chain makes use of a technique called DLL side-loading, which allows the malware to sneak onto a system without raising alarms. The malware operates in memory only, using encryption and compression to avoid detection.

Morphisec’s analysis points out that ResolverRAT uses a multi-step process to quietly set itself up on a system and includes multiple ways to stay active, such as by hiding entries in the Windows Registry and planting files in different locations as backups.

It also uses certificate-based authentication to communicate with its command-and-control (C2) servers, bypassing typical security checks. If its main C2 server is taken down, it can switch to alternative servers thanks to an IP rotation system.

Sophisticated Evasion and Data Theft

To avoid getting caught, ResolverRAT uses a combination of certificate pinning, scrambled source code, and irregular communication patterns with its servers. This makes it much harder for security tools to detect its presence.

Once it’s active, the malware waits for instructions from its C2 server and sends stolen data back in small, 16 KB chunks if the files are over 1 MB in size — another trick to avoid detection.

Possible Links to Other Threat Groups

So far, no one has officially blamed a specific hacking group for this malware, but the tactics and tools resemble those used in past phishing campaigns, suggesting possible connections between threat actors or the sharing of tools among cybercriminals.

Another Threat: Neptune RAT

In a related development, security firm CYFIRMA has detailed a different remote access trojan called Neptune RAT. This malware is being openly shared through GitHub, Telegram, and YouTube — though its main GitHub account, known as MasonGroup (also called FREEMASONRY), has since been removed.

Neptune RAT is designed to stick around on infected computers for as long as possible, using anti-analysis techniques and multiple persistence methods. Its features are wide-ranging and dangerous, including:

• A crypto clipper to hijack cryptocurrency transactions

• A password stealer capable of collecting credentials from over 270 different applications

• Ransomware functions that demand $500 from victims

• The ability to overwrite a computer’s Master Boot Record (MBR), which can completely disable a system

Final Thoughts

Both ResolverRAT and Neptune RAT represent major threats to businesses and individuals alike. Their advanced techniques and widespread targeting show how cybercriminals are constantly evolving their tactics to stay ahead of security defenses.