A stealthy phishing campaign targeting healthcare and pharma firms is spreading a memory-resident RAT that bypasses traditional security tools.
What happened
Healthcare organizations and pharmaceutical companies are the latest targets of a sophisticated malware campaign distributing a newly discovered remote access trojan (RAT) named ResolverRAT. The attack begins with phishing emails disguised as legal notices about copyright violations, designed to create urgency and prompt users to click on malicious links.
The emails link to a signed executable, hpreader.exe, which initiates a technique known as DLL side-loading to inject the malware directly into memory, bypassing most traditional security defenses.
Going deeper
ResolverRAT is a sneaky type of malware that hides in a computer’s memory, making it hard to detect. It tricks the system using a method in Microsoft’s .NET software to secretly load harmful code without alerting security tools. Researchers at Morphisec found that it dodges antivirus programs, switches its internet address often, breaks stolen files into smaller pieces, and disguises its activity to blend in with normal traffic.
To stay on the system, it hides secret codes in the computer’s settings and installs itself in places like the StartUp folder so it can run every time the computer is turned on. The servers it connects to have been used by other known malware before, and while no one knows exactly who is behind it, the advanced techniques suggest it could be the work of a well-funded, possibly government-backed group.
What was said
Researchers described ResolverRAT as “malware evolution at its finest,” pointing to the advanced stealth techniques that make it difficult to detect or remove. Dirk Schrader, Field CISO EMEA and VP of Security Research at Netwrix, indicated that technical defenses must be paired with administrative controls and policy enforcement, “If there is a need for a new application, a defined process should be in place to allow that… Removing unnecessary privileges like local admin rights on endpoints is one of the most effective ways to mitigate the risk of malicious installations.”
He also warned that urgency is often the enemy of awareness, proving the need for ongoing employee training in phishing detection and cautious behavior.
The big picture
The threat isn’t just a new strain of malware, it’s the growing ease with which attackers exploit urgency, trust, and blind spots in even well-funded organizations. ResolverRAT shows how cybercriminals are getting smarter, hiding in plain sight, bypassing detection, and quietly siphoning off valuable data. For sectors like healthcare and pharma, where the stakes are high security must be about tools, habits, decisions, and discipline at every level.
FAQs
Why are healthcare and pharmaceutical companies frequent targets for cyberattacks?
These sectors store high-value data like patient records, clinical research, and intellectual property, making them lucrative for espionage, extortion, and black-market sales.
What makes memory-based malware harder to detect?
Because it doesn’t write code to disk, memory-resident malware avoids leaving a traditional footprint, allowing it to slip past antivirus scans and endpoint detection tools.
What is DLL side-loading, and why is it effective?
DLL side-loading exploits trusted applications by loading malicious dynamic link libraries (DLLs) under their name, making the attack appear legitimate to the system.
How can organizations reduce the risk of phishing attacks like this?
Regular phishing simulations, strict privilege management, and blocking executable downloads from emails are effective ways to reduce exposure.
Are signed executables always safe to trust?
No. While code signing certifies the origin of a file, attackers can abuse or steal certificates to make malicious files appear trustworthy.
Farah Amod
