Phishing-Delivered Spyware “ResolverRAT” Targets Healthcare Systems

In March 2025, cybersecurity experts identified a new dangerous malware, ResolverRAT, targeting the healthcare and pharmaceutical sectors. This newly discovered threat stands out due to its sophisticated stealth techniques: it operates covertly in computer memory, leaving almost no traces and proving difficult for traditional antivirus software to detect.

ResolverRAT spreads through meticulously crafted phishing emails designed to trick users into installing the malware on their systems. These emails often warn of legal issues or violations, instilling fear and prompting users to download an attachment or application.

The phishing campaigns were conducted in multiple languages—Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish—targeting healthcare organizations on a global scale.

The malware employs the DLL side-loading technique, embedding itself within trusted software to infiltrate systems. It then uses complex algorithms to unpack and execute its code in memory.

Additionally, ResolverRAT leverages an internal .NET mechanism—the ResourceResolve event—to launch its malicious code discreetly, without triggering suspicious API calls.

The program uses AES-256 encryption to ensure secure data transmission and can even bypass systems designed to detect certificate forgery.

To maintain long-term covert operations, ResolverRAT inserts numerous registry keys, some of which are extremely difficult to detect. Its command-and-control servers are frequently rotated and protected by security mechanisms to evade SSL inspections.

ResolverRAT is a modern, highly stealthy next-generation malware that poses a significant threat to the healthcare and pharmaceutical industries. To protect their systems, organizations must continuously educate employees about phishing emails, promptly install security updates, and utilize diverse threat detection tools.