Healthcare and Pharma Under Attack From Sneaky ResolverRAT Malware

Security researchers have uncovered a sneaky new remote access trojan, dubbed ResolverRAT, that's actively targeting the healthcare and pharmaceutical industries. This malware is no joke, using sophisticated methods to infiltrate systems.

According to Nadav Lorber, a researcher at Morphisec Labs, "The attackers are using fear as a weapon. They send out phishing emails designed to scare people into clicking malicious links." You can read the full report on the Morphisec blog. The email's hook? A malicious link that downloads a file, kicking off the ResolverRAT execution chain.

This activity, spotted as recently as March 10, 2025, seems to share tactics with previous phishing campaigns that spread information stealers like Lumma and Rhadamanthys. Cisco Talos and Check Point documented these earlier campaigns. Check out their reports: Cisco Talos report and Check Point report.

Localized Phishing Lures: A Global Threat

What's particularly interesting is the use of phishing lures tailored to specific regions. These emails are written in the local languages of the targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. This shows the attackers are trying to reach a wide audience and maximize their success rate.

The emails often revolve around legal issues or copyright infringements, designed to create a sense of urgency and panic, making people more likely to click without thinking.

How ResolverRAT Works: Stealth and Persistence

The infection process relies on a technique called DLL side-loading to get things started. The initial stage involves an in-memory loader that decrypts and launches the main payload. It's all about staying hidden! The ResolverRAT payload is encrypted, compressed, and only exists in memory after decryption.

Lorber emphasizes the malware's sophistication: "ResolverRAT's initialization is a multi-stage process designed for stealth and resilience." He also notes that it uses multiple backup methods for persistence, installing itself in different locations as a fallback.

Once active, the malware uses a unique certificate-based authentication system before connecting to its command-and-control (C2) server. This allows it to bypass standard security checks. It also has a system to switch to an alternate C2 server if the main one goes down.

ResolverRAT also uses certificate pinning, code obfuscation, and irregular communication patterns to avoid detection.

"This advanced C2 infrastructure shows that the attackers are highly skilled. They're using secure communication, backup systems, and evasion techniques to maintain access while avoiding security monitoring," according to Morphisec.

The ultimate goal? To receive commands from the C2 server and send back stolen data. To avoid raising red flags, data larger than 1 MB is broken down into smaller 16 KB chunks.

While the attackers haven't been officially identified, the similarities to previous phishing attacks suggest a possible connection.

Morphisec believes there might be a connection to other threat groups: "The similarities could indicate a shared infrastructure or coordinated activity."

Another Threat: Neptune RAT

Meanwhile, CYFIRMA has reported on another remote access trojan called Neptune RAT. This one uses a modular design to steal information, stay hidden, demand a $500 ransom, and even mess with the Master Boot Record (MBR) to break the Windows system.

This RAT is being spread openly via GitHub, Telegram, and YouTube. The GitHub profile linked to the malware, called the MasonGroup (aka FREEMASONRY), is now inaccessible.

CYFIRMA warned, "Neptune RAT uses advanced techniques to hide itself and stay on the system for a long time. It also has dangerous features." You can read their full analysis here.

They added that it includes features like a crypto clipper, a password stealer that can grab credentials from over 270 applications, ransomware capabilities, and live desktop monitoring. "This makes it an extremely serious threat."