A newly identified remote access trojan known as ResolverRAT is being used in phishing campaigns targeting the healthcare and pharmaceutical industries, reports The Hacker News. Disguised in fear-driven phishing emails that reference legal threats or copyright violations, the malware campaign exploits users' urgency to trigger downloads of malicious payloads. These emails are often localized, appearing in multiple languages including Hindi, Turkish, and Portuguese, suggesting a broad international reach and deliberate effort to bypass language barriers.
The mechanism relies on a technique called DLL side-loading, which allows the malware to quietly insert itself into the system without triggering traditional security alerts. Once inside, the payload decrypts in memory and avoids writing to disk, making detection more difficult. Persistence is reinforced through multiple fallback methods, including file system placements and registry modifications, allowing the malware to survive reboots and evade removal attempts.
Communication with the attackers’ infrastructure is secured and stealthy. ResolverRAT uses certificate-based authentication and IP rotation to maintain access to its command-and-control (C2) servers even if initial servers are blocked. This ensures continuous control over compromised machines. It also splits data into small chunks for exfiltration, a method designed to avoid detection by security monitoring tools.
While attribution remains unclear, the campaign’s infrastructure overlaps with previous phishing threats involving well-known information stealers. Its targeting of the healthcare industry raises concerns about the potential impact on sensitive patient data and operational systems. The campaign serves as another reminder of the growing sophistication behind healthcare-focused cyber threats and the need for more proactive threat detection strategies across the sector.
