ResolverRAT Malware Evades Detection, Hits Pharma And Healthcare Firms

ResolverRAT, a stealthy fileless malware, is targeting healthcare and pharmaceutical industries with phishing-based attacks, Morphisec Labs has warned.

A dangerous new malware variant named ResolverRAT has been uncovered by Morphisec Labs, and it’s already being used in targeted cyberattacks against healthcare and pharmaceutical organizations worldwide.

Morphisec reports that ResolverRAT is a Remote Access Trojan (RAT) that is designed to evade detection and analysis. Unlike traditional malware, ResolverRAT runs entirely in memory and does not leave files on disk, which makes it much harder to detect using traditional antivirus tools.

The threat was first detected in attacks against Morphisec clients, specifically in the healthcare industry, with the latest wave occurring on March 10, 2025.

The researchers explain that ResolverRAT uses very realistic phishing emails in multiple languages to deceive corporate employees into downloading infected files. The emails threaten legal consequences such as copyright violations to force recipients into clicking.

“These campaigns reflect the ongoing trend of highly localized phishing,” Morphisec notes, explaining that tailoring language and themes by country increases the chance someone will fall for the scam.

Once inside a system, ResolverRAT loads a hidden malicious program using a method called DLL side-loading, often disguised within a legitimate app. This allows the malware to sneak in without triggering alarms.

The malware uses strong encryption and obfuscation techniques to hide its true purpose. It operates only in the computer’s memory, avoids using normal system files, and even creates fake certificates to bypass secure network monitoring.

Its design includes multiple methods to stay hidden and active, even if some are blocked. It installs itself in different parts of the system and uses a rotating list of servers and encrypted communication to avoid detection.

Morphisec warns that ResolverRAT appears to be part of a global operation, with similarities to other known cyberattacks. Shared tools, techniques, and even identical file names suggest a coordinated effort or shared resources among threat groups.

“This new malware family is especially dangerous to healthcare and pharmaceutical companies due to the sensitive data they hold,” Morphisec said.

To combat threats like ResolverRAT, Morphisec promotes its Automated Moving Target Defense (AMTD), which prevents attacks at the earliest stage by constantly changing the attack surface, making it harder for malware to find a target.

ResolverRAT is a clear example of how sophisticated cybercrime is evolving—and why critical sectors like healthcare must stay one step ahead.