{
	"id": "022a539e-1354-40c2-9710-031ecdcab01e",
	"created_at": "2026-04-06T00:07:00.352304Z",
	"updated_at": "2026-04-10T13:12:31.562252Z",
	"deleted_at": null,
	"sha1_hash": "f6f80f23c28e94d71404812338183d2a7a8e512f",
	"title": "New Malware Variant Identified: ResolverRAT Enters the Maze",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2987742,
	"plain_text": "New Malware Variant Identified: ResolverRAT Enters the Maze\r\nBy Nadav Lorber\r\nArchived: 2026-04-05 20:44:44 UTC\r\nResolverRAT is a newly identified remote access trojan that combines advanced in-memory execution, API and\r\nresource resolution at runtime, and layered evasion techniques. Morphisec researchers have coined it ‘Resolver’\r\ndue to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static\r\nand behavioral analysis significantly more difficult. \r\nIntroduction\r\nWhile recent reports by CheckPoint and Cisco Talos have attributed similar phishing infrastructure and delivery\r\nmechanisms to campaigns distributing Rhadamanthys and Lumma respectively, the RAT observed in Morphisec\r\nThreat Labs’ incident investigations appears to be previously undocumented. Despite clear overlaps in payload\r\ndelivery, email lure themes, and even binary reuse, this variant introduces a distinct loader and payload\r\narchitecture that warranted classification as a new malware family. \r\nOur decision to name and disclose details of ResolverRAT was reinforced by multiple detections targeting\r\nMorphisec customers in the healthcare and pharmaceutical sectors; the most recent attack wave was observed\r\non March 10, 2025.\r\nTechnical Details\r\nThis blog provides a technical deep dive into the infection chain, loader internals, evasion techniques, and C2\r\ninfrastructure.\r\nInitial Access\r\nThe initial infection vector is a social engineering campaign that targets an organization’s corporate employees\r\nacross multiple countries. The threat actor leverages fear-based lures delivered via phishing emails, designed to\r\npressure recipients into clicking a malicious link. Once accessed, the link directs the user to download and open a\r\nfile that triggers the ResolverRAT execution chain. \r\nThis campaign reflects the ongoing trend of highly localized phishing, with region-specific language and themes\r\nused to increase credibility and user engagement.  \r\nEmails are crafted in the native language of the targeted country, with consistent use of alarming themes – often\r\nreferencing legal investigations or copyright violations. This enhances credibility and increases the likelihood of\r\nuser interaction. \r\nA few localized subject lines observed across different languages include: \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 1 of 13\n\nHindi: जाँ चजाँ प्रक्रि या में मेंदर्ज कि ए गए दस्ता वेज़ — “Documents recorded during the investigation process” \r\nItalian: Documento per confermare la violazione del copyright — “Document to confirm copyright\r\ninfringement” \r\nCzech: Shromáždění důkazů o porušení autorských práv — “Gathering evidence of copyright\r\ninfringement” \r\nTurkish: İhlal delili — “Evidence of violation” \r\nPortuguese: Prova de infração — “Proof of violation” \r\nIndonesian: Bukti pelanggaran — “Evidence of violation” \r\nThis multi-language phishing strategy suggests a globally scoped operation and demonstrates the threat actor’s\r\nintent to maximize infection rates through tailored, region-specific targeting. \r\nThreat Relations \u0026 Intelligence\r\nThe payload delivery mechanism observed in this campaign leverages a classic DLL side-loading technique.\r\nSpecifically, it involves a legitimate, signed executable that is vulnerable to DLL hijacking, paired with a\r\nmalicious DLL placed in the same directory. Upon execution, the benign application – in this case, hpreader.exe\r\nautomatically loads the malicious DLL, initiating the infection chain. \r\nThis TTP closely mirrors a recently documented campaign by CPR, which also utilized hpreader.exe as the loader\r\nfor Rhadamanthys malware via DLL side-loading. Notably, both campaigns deploy an identical binary of the\r\nlegitimate executable, strongly suggesting code reuse or shared tooling across operations. \r\nThe overlap between campaigns is further evidenced by the consistent naming patterns used for both .zip archives\r\nand phishing email subject. These naming patterns align closely with the copyright infringement theme and mirror\r\nthose documented in research by both CPR and Cisco Talos. This thematic consistency across lure artifacts\r\nsuggests a shared playbook or coordinated activity. Talos also highlighted similar phishing techniques in a\r\ncampaign delivering infostealers via themed social engineering content (Talos Intelligence, 2024). \r\nThe alignment in payload delivery mechanisms, artifact reuse, and lure themes indicates a possible overlap in\r\nthreat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated\r\nactivity among related threat groups. \r\nIn-Memory Loader\r\nCore Architecture and Execution Flow\r\nThe first stage operates as a loader designed to decrypt, load, and execute the actual malware payload while\r\nemploying multiple layers of anti-analysis techniques.  \r\nThe loader follows a structured execution pattern: \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 2 of 13\n\nEncrypted Payload Mechanism\r\nThe ResolverRAT employs AES-256 encryption with embedded cryptographic keys to protect its payload: \r\n1. Cryptographic Implementation: Uses the .NET System.Security.Cryptography namespace with AES in\r\nCBC mode \r\n2. Key Management: Encryption keys and IVs are stored as obfuscated integers, decoded at runtime \r\n3. Multi-layer Protection: The payload is both encrypted and compressed using GZip \r\n4. Memory-only Execution: The full payload exists only in memory after decryption \r\nString Obfuscation\r\nA string obfuscation system prevents static analysis: \r\nRuntime String Decoding: \r\nStrings are stored as numeric IDs rather than plaintext \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 3 of 13\n\nStringObfuscator.GetString(int stringId) decodes at runtime \r\nCaching Mechanism: \r\nConcurrent dictionary for performance optimization:\r\nEmbedded Resource Encryption: \r\nString table stored as an encrypted embedded resource \r\nCustom resource reader with integrity validation \r\nResolverRAT Loaded via Reflective DLL Loading\r\nInitialization\r\nThe ResolverRAT’s initialization sequence reveals a sophisticated, multi-stage bootstrapping process engineered\r\nfor stealth and resilience. Analysis of the code exposes a highly intentional and well-structured execution flow. \r\n.NET Resource Resolver Hijacking \r\nThis resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET\r\nmechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on\r\nWin32 API and file system operations. \r\nBy registering a custom handler for ResourceResolve events, the malware can intercept legitimate resource\r\nrequests and return malicious assemblies instead. This elegant technique achieves code injection without\r\nmodifying the PE header or employing suspicious API calls that might trigger security solutions. \r\nPayload Decryption State Machine \r\nThe core payload decryption occurs in the RunVisibleHandler() method, which implements an extraordinarily\r\ncomplex state machine with hundreds of states and transitions. This technique – known as control flow flattening\r\n– makes static analysis exceptionally challenging:\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 4 of 13\n\nThe state machine employs several anti-analysis techniques: \r\n1. Non-sequential state transitions to confuse control flow analysis \r\n2. Conditional jumps based on environment checks \r\n3. Dead code and redundant operations to mislead disassemblers \r\n4. Arithmetic operations to dynamically compute decryption keys \r\nPersistency\r\nThe ResolverRAT implements multiple redundant persistence methods through the ExecutorState class. \r\n1. Registry-Based Persistence\r\nThe malware creates up to 20 different registry entries across multiple locations: \r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer \r\nVarious other obfuscated keys constructed through XOR operations \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 5 of 13\n\n2. File System Persistence\r\n \r\nThe ResolverRAT installs itself in multiple locations: \r\nAppdata + Local Appdata folders \r\nProgram Files directory \r\nUser Startup folders \r\nWhat makes this RAT’s persistence particularly robust is: \r\n1. It attempts different persistence methods in parallel \r\n2. It continues even if some methods fail \r\n3. It implements a fallback hierarchy, tracking successful methods \r\n4. It uses XOR operations to obfuscate registry key names and file paths \r\nC2 Infrastructure\r\nCertificate-Based Authentication \r\nThe ResolverRAT’s certificate validation implements a complete parallel trust system that bypasses the machine’s\r\nroot authorities, rendering advanced SSL inspection tools ineffective. \r\nAnalysis of the LockInternalConnection() method reveals that the malware extracts a pre-embedded\r\nX509Certificate2 from encrypted resources: \r\nDuring SSL/TLS handshaking, it bypasses standard certificate validation using a custom callback:\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 6 of 13\n\nThis custom validation matches the server certificate against the embedded one rather than relying on trusted CA,\r\ncreating a private validation chain between implant and C2. \r\nResilient C2 Architecture \r\nThe malware implements a sophisticated IP rotation system in the CustomizeConnection() method:\r\nThe IPs are stored in the obfuscated TestDistributor collection, while corresponding ports are in the\r\nCheckDistributor collection. This architecture provides fallback capabilities if the primary C2 server becomes\r\nunavailable. \r\nEvasion Techniques\r\nThe ResolverRAT employs multiple techniques to evade detection: \r\nCustom Protocol Over Standard Ports: By utilizing standard ports within the CheckDistributor list while\r\nimplementing a custom protocol, the malware blends in with legitimate traffic. \r\nCertificate Pinning: The embedded certificate validation prevents MITM inspection, making network\r\nsecurity monitoring less effective. \r\nExtensive Code Obfuscation: Method and variable obfuscation.\r\nTimer-Based Connection Management: Connection attempts are scheduled through timer callbacks with\r\nrandom intervals:\r\nThis creates irregular beaconing patterns, making detection via timing analysis difficult. \r\nSerialized Data Exchange: Use of Protocol Buffers (ProtoBuf) for data serialization provides efficient\r\nstructure while making traffic analysis challenging without knowledge of the specific message formats. \r\nCommand Processing Pipeline\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 7 of 13\n\nThe command processing logic reveals a complex multi-threaded architecture:\r\nThis implementation: \r\n1. Uses a length-prefixed protocol where each command is preceded by its size \r\n2. Processes each received command in a dedicated thread \r\n3. Implements robust error handling to prevent connection failures from crashing the malware \r\nConnection Persistence\r\nThe ResolverRAT implements persistent connectivity through its ViewConnection() method, which re-establishes\r\nC2 connections when interrupted:\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 8 of 13\n\nThis advanced C2 infrastructure demonstrates the advanced capabilities of the threat actor, combining secure\r\ncommunications, fallback mechanisms, and evasion techniques designed to maintain persistent access while\r\nevading detection by security monitoring systems.\r\nChunked Data Transmission\r\nFor large data exfiltration, the RAT implements a chunking mechanism:\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 9 of 13\n\nThis chunking mechanism: \r\n1. Breaks large data sets (over 1MB) into 16KB chunks \r\n2. Implements flow control by checking socket write-readiness\r\n3. Handles transmission errors gracefully, preventing data loss \r\nAdvanced Anti-Analysis Techniques\r\nBeyond the evasion techniques mentioned in the previous section, the ResolverRAT implements several advanced\r\nmechanisms to detect and thwart analysis attempts. \r\nResource Resolution Fingerprinting\r\nThe malware uses the resource resolution handler to detect certain analysis environments:\r\nBy monitoring which assemblies are requested and when, the malware can identify patterns typical of dynamic\r\nanalysis tools and adjust its behavior accordingly. \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 10 of 13\n\nEnvironment-Aware State Transitions\r\nThe state machine’s transitions include environment checks: \r\nThese conditional transitions create execution paths that vary based on the runtime environment, allowing the\r\nmalware to behave differently when under analysis. \r\nExecution Control and Victim Tracking \r\nThe ResolverRAT implements a robust victim tracking and command execution framework. \r\nVictim Identification\r\nThe C2 configuration includes fields for tracking infected hosts:\r\nThese fields enable the threat actor to: \r\n1. Track individual infections across campaigns \r\n2. Associate each victim with specific authentication tokens \r\n3. Organize infections by campaign for targeted operations  \r\nHow Morphisec Can Help \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 11 of 13\n\nPowered by Automated Moving Target Defense (AMTD), Morphisec’s Anti-Ransomware Assurance Suite\r\nprovides multi-layered and comprehensive preemptive cyber defense against ransomware and advanced attacks\r\nlike ResolverRAT. Infiltration protection stops attacks at the earliest stage, while impact protection protects\r\nsystems, files and critical assets. \r\nMorphisec uses proactive mechanisms to prevent sophisticated attacks, unlike traditional detection-based\r\ntechnologies — which ResolverRAT successfully evaded. Morphisec’s AMTD-based approach combines with\r\nadaptive exposure management to significantly reduce attack surface exposure, thereby reducing risk exposure.  \r\nSchedule a demo today to see how Morphisec stops ResolverRAT and other advanced attack techniques. \r\nResolverRAT IOCs\r\nSHA256\r\nec189b7ce68cb308139f6a5cf93fd2dc91ccf4432dc09ccaecb9de403a000c73 \r\n6c054f9013c71ccb7522c1350995066ef5729371641a639a7e38d09d66320bf4 \r\nc3028a3c0c9b037b252c046b1b170116e0edecf8554931445c27f0ddb98785c1 \r\n19a4339a4396e17fece5fd5b19639aa773c3bb3d8e2f58ee3b8305b95d969215 \r\n05313e81e28f4c4a13e5f443cd2641181d5de95cdc7e450e097ee23c09758a15 \r\n80625a787c04188be1992cfa457b11a166e19ff27e5ab499b58e8a7b7d44f2b9 \r\ne78505de8436a1d9978fd03a4e374518be6f3f6f7f4bf18ae59e3f23301ce927 \r\nC2 IPs\r\n38.54.6.120 \r\n192.30.241.106 \r\nC2 Ports\r\n56001 \r\n56002 \r\n56003 \r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 12 of 13\n\nAbout the author\r\nNadav Lorber\r\nSecurity Research Tech Lead\r\nNadav Lorber is a leader on Morphisec’s cutting-edge threat research team. He began his career in threat\r\nintelligence in 2013, where he was a SOC Specialist for the Israeli government’s military intelligence department.\r\nSince joining Morphisec, Nadav has helped uncover key insights on topics like Jupyter Infostealer, Log4j, and the\r\nSnip3 crypter.\r\nSource: https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/"
	],
	"report_names": [
		"new-malware-variant-identified-resolverrat-enters-the-maze"
	],
	"threat_actors": [],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6f80f23c28e94d71404812338183d2a7a8e512f.pdf",
		"text": "https://archive.orkl.eu/f6f80f23c28e94d71404812338183d2a7a8e512f.txt",
		"img": "https://archive.orkl.eu/f6f80f23c28e94d71404812338183d2a7a8e512f.jpg"
	}
}