The malware protects its C&C infrastructure with a parallel trust system that bypasses root authorities and includes an IP rotation system for resilience.

ResolverRAT is designed to execute commands from the C2 server and exfiltrate data in 16 KB chunks, minimizing the risk of detection even for larger files.

To maintain persistence, the malware creates multiple registry entries and installs itself in various locations on the victim's system, ensuring continued operation even if some methods fail.

A new remote access trojan named ResolverRAT has emerged, specifically targeting healthcare and pharmaceutical organizations worldwide through sophisticated phishing techniques.

The malware is primarily distributed via phishing emails that utilize fear-based tactics, often referencing legal issues to compel victims to download malicious files.

These phishing emails contain links to download a legitimate executable named 'hpreader.exe,' which is used to inject ResolverRAT into memory through reflective DLL loading.

Once activated, ResolverRAT operates entirely in memory, utilizing .NET 'ResourceResolve' events to load malicious assemblies without triggering security alerts.

The malware employs sophisticated techniques such as advanced in-memory execution, dynamic resource handling, and a complex state machine to obfuscate its control flow and evade detection.

ResolverRAT shares characteristics with previous malware campaigns like Rhadamanthys and Lumma RAT, suggesting a connection to shared threat actor infrastructure.

While the campaign has not been linked to a specific threat group or country, its similarities with prior phishing attacks indicate a potential connection to other threat actors.

ResolverRAT supports certificate-based authentication to circumvent SSL inspection tools and features a robust command and control (C2) infrastructure, including IP rotation and fallback mechanisms.

ResolverRAT employs a DLL side-loading technique to initiate its infection chain, using an in-memory loader that decrypts and executes the main payload while remaining stealthy.