ResolverRAT: Multilingual ICU Check-In

The healthcare and pharmaceutical sectors have entered a digital intensive care unit. In a campaign observed as recently as March 2025, researchers uncovered the stealthy ResolverRAT—a remote access trojan spreading via regionally tailored phishing emails. Unlike previous attacks, this one casts its net wide with multilingual bait: Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. Masquerading as legal or copyright threats, the emails redirect recipients to download a weaponized file. Behind this facade lies an in-memory loader engineered to evade detection through encrypted payloads and the classic DLL side-loading technique.

This isn’t a virus that demands ransoms or locks screens—it’s designed to stay quiet, dig deep, and extract valuable data from the veins of the life sciences ecosystem.

Sicker

ResolverRAT doesn’t target systems—it targets people. The victims are healthcare and pharma professionals: regulatory affairs liaisons, clinical trial operators, R&D specialists, and contractors with access to high-value datasets. These individuals handle everything from investigational drug protocols to sensitive patient records. The attackers know this, and their phishing lures reflect that level of precision. Crafted in local languages and themed with urgency, these emails look legitimate enough to bypass scrutiny.

The ultimate impact extends far beyond individual inboxes. Compromised endpoints can expose confidential trial data, disrupt medicine distribution, or compromise regulated documentation workflows. In healthcare, that’s not just a security breach—it’s a patient safety risk.

Replicating in cells

Once the infected file is opened, ResolverRAT executes a complex infection chain. A malicious DLL is loaded directly into memory, leaving no artifacts on disk. This memory-only presence helps it evade antivirus detection. Then it silently deploys persistence mechanisms—both in the Windows Registry and across the file system—ensuring it survives reboots and system scans.

Communication with the attacker’s infrastructure begins through an encrypted channel, but not before certificate-based authentication validates the connection, bypassing root authority checks. The malware is engineered with resilience in mind: it rotates IP addresses, evades detection with irregular beaconing, and obfuscates its source code to resist reverse engineering. Once active, ResolverRAT listens for commands and begins to exfiltrate data—chopped into tiny 16 KB fragments to fly under the radar.

It’s not just stealthy. It’s engineered for long-term control.

The Vaccine

• Monitor for DLL side-loading behavior. Actively scan for anomalies in how DLLs are loaded—especially unsigned or suspicious DLLs loaded from non-standard directories. Use application allowlisting and behavioral analysis tools to detect side-loading attempts.

• Watch memory use and PowerShell execution. Since ResolverRAT operates exclusively in memory and often leverages PowerShell scripts, implement monitoring that detects unusual memory consumption or suspicious PowerShell commands (e.g., obfuscated code, encoded scripts, or unexpected downloads).

• Deploy XDR/EDR solutions with in-memory and behavioral analysis. Invest in advanced endpoint detection and response (EDR) or extended detection and response (XDR) platforms that provide visibility into memory-resident threats, detect reflective loading techniques, and can respond in real time to in-memory threats.

• Limit outbound traffic and monitor DNS anomalies. Block or restrict outbound traffic to known malicious or uncommon domains, and monitor for DNS tunneling or irregular communication intervals—ResolverRAT uses IP rotation and certificate-based C2 communications to avoid detection.

• Validate digital certificates and implement TLS inspection. ResolverRAT uses its own certificates for authentication, bypassing system-level validation. Enable TLS/SSL inspection at gateways and verify certificate legitimacy to detect unauthorized or self-signed certificates.

• Educate users about localized phishing threats. Train users to recognize social engineering lures crafted in their native language—such as fake legal threats or internal notices. Emphasize skepticism even for emails that appear relevant and local.

• Implement attachment filtering and content disarm. Block or sandbox unexpected file types (e.g., .dll, .msi, or encrypted archives) in email attachments. Use content disarm and reconstruction (CDR) technology to sanitize inbound documents.

• Harden the Windows environment. Apply the principle of least privilege, disable Windows features like mshta.exe and unnecessary scripting engines, and restrict execution in temp folders where initial payloads often land.

• Audit persistence mechanisms. Regularly inspect system registries and file directories for unauthorized startup entries or hidden implants. ResolverRAT installs redundant persistence methods—so ensure layered visibility.

• Segment critical infrastructure. Isolate high-value systems such as those managing research data, patient records, or regulatory communications. Enforce strict access policies to minimize the blast radius of an initial breach.

https://thehackernews.com/2025/04/resolverrat-campaign-targets-healthcare.html