Dubbed ResolverRAT, this previously undocumented malware deploys advanced in-memory execution techniques and layered evasion methods to steal sensitive data while remaining virtually undetectable to traditional security solutions. PolySwarm analysts identified the malware’s distinctive approach to evading detection, noting that despite sharing some infrastructure with known threats like Rhadamanthys and Lumma, ResolverRAT’s unique loader and payload architecture justify its classification as a distinct malware family. After the initial phishing email convinces a user to download a seemingly legitimate application, the malware leverages DLL side-loading to inject its malicious code into trusted processes. First observed on March 10, 2025, ResolverRAT represents an evolution in malware design, with its ability to operate entirely in memory leaving minimal forensic traces. Utilizing AES-256 encryption in CBC mode with dynamically generated keys and initialization vectors, ResolverRAT ensures its malicious code remains hidden from security tools. This technique allows the malware to intercept legitimate resource requests and inject malicious assemblies without modifying PE headers or calling suspicious APIs. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These campaigns deliver emails crafted in multiple languages including Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, maximizing potential infection rates across global healthcare institutions. Researchers emphasized the threat’s sophisticated design, describing it as “malware evolution at its finest” due to its novel evasion techniques. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The phishing lures typically employ fear-based tactics, often claiming legal consequences or copyright violations, compelling recipients to download what appears to be legitimate executable files. The malware employs multiple layers of obfuscation and encryption to protect its payload and communications. ResolverRAT’s infection chain represents a masterclass in evasive malware design. The infection establishes persistence by creating up to 20 obfuscated registry entries spread across multiple locations, ensuring survivability even if some entries are discovered and removed. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The loader then initiates a complex decryption routine within the RunVisibleHandler() method, employing a state machine with control flow flattening to thwart static analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 29 Apr 2025 08:25:06 +0000