ResolverRAT: How to Detect the Stealthy .NET Malware

By Clinton Nwezeaku
on April 17, 2025

ResolverRAT is a newly discovered remote access trojan that caught my attention recently because of how stealthy and dangerous it is. It was first reported by Morphisec, and it’s already being used in phishing attacks targeting healthcare and pharmaceutical organizations around the world. These are industries where any data breach could be catastrophic, which makes this malware especially concerning.

What stood out to me wasn’t just what ResolverRAT can do, but how it does it. It’s not flashy. It’s quiet, careful, and it slips right past most traditional security tools. Here’s a breakdown of how it works, why it’s so dangerous, and how I went about detecting it using a combination of memory scanning and registry analysis.

-Book Your Free Cybersecurity Consultation Today!

How ResolverRAT Infects Targets

The infection begins with phishing emails. These aren’t your average scam messages. They’re crafted to look like legal or copyright violation notices, and they’re written in the target’s native language. That alone increases the chance someone will fall for it.

Once the victim clicks the link, they download a legitimate-looking executable named hpreader.exe. This isn’t malware by itself, but it’s used to load ResolverRAT directly into memory using reflective DLL injection. That means no malicious file touches the disk, making it extremely hard to detect with traditional antivirus tools.

-Phishing Attacks

Technical Details That Make ResolverRAT Stand Out

-Read the Top Most dangerous Remote Access Trojans in 2025

Reflective DLL Injection

Reflective DLL injection is one of the key tactics ResolverRAT uses. Instead of writing malicious files to the system, it loads everything in memory. Here’s how I approached this technique in a test environment:

				
					Assembly assembly = Assembly.Load(byteArrayContainingDLL);
MethodInfo entry = assembly.EntryPoint;
entry.Invoke(null, new object[] { new string[] { } });

It’s simple, but powerful. Loading a DLL this way leaves almost no trace behind.

.NET ResourceResolver Hijacking

What really surprised me was ResolverRAT’s use of the .NET ResourceResolve event. This is something most people overlook, but ResolverRAT uses it to load malicious assemblies without calling APIs that might get flagged.

Here’s the concept in action:

				
					AppDomain.CurrentDomain.ResourceResolve += (sender, args) => {
    return Assembly.Load(maliciousBytes);
};

By hooking into this event, the malware stays entirely within managed memory and sidesteps a lot of standard detection methods.

Control Flow Obfuscation

ResolverRAT uses a complex state machine to obfuscate its logic. That makes reverse engineering a nightmare. It also fingerprints its environment to detect sandboxes and debuggers. If it senses anything unusual, it can modify its behavior or shut down entirely.

Even when it does run, it uses misleading and redundant code to slow down analysis. That kind of misdirection can trip up even experienced analysts.

How It Sticks Around and Evades Detection

Persistence is another area where ResolverRAT doesn’t cut corners. It hides XOR-obfuscated keys in up to 20 different Windows registry locations. On top of that, it copies itself to multiple places like:

%APPDATA%\Startup
%ProgramFiles%
%LocalAppData%

It also schedules its callbacks to the command-and-control server at random intervals. That randomness helps it blend in with normal network traffic and avoids detection based on timing patterns.

Command Execution and Data Theft

One thing I found impressive is how ResolverRAT handles commands. Each command is spun off in its own thread. That means if one command crashes, it doesn’t bring down the whole malware. That kind of fault tolerance is something I’ve only seen in well-developed malware.

When it comes to stealing data, ResolverRAT splits files larger than 1MB into 16KB chunks. Before sending each chunk, it checks whether the socket is ready to write. This prevents it from crashing on unreliable networks.

If the connection breaks, it just picks up where it left off. That makes its data exfiltration both subtle and resilient.

Platform-Specific Detection Strategies

Here’s how I went about detecting ResolverRAT on a Windows platform:

1. Scanning for .NET Assemblies in Memory

Since ResolverRAT lives entirely in memory, YARA rules can be used with memory scanners like Volatility or PE-sieve to spot suspicious .NET metadata in non-standard memory regions. Here’s a basic idea:

				
					rule DotNetAssemblyInMemory {
    strings:
        $clr_metadata = { 42 53 4A 42 } // BSJB - .NET metadata signature
    condition:
        $clr_metadata in (process.memory)
}

I used PE-sieve to dump all in-memory PE files and found unbacked .NET assemblies loaded by hpreader.exe, which matched the suspected behavior.

2. Registry Key Monitoring

To catch persistence, I wrote a PowerShell script that checks common registry run keys and applies XOR decoding logic to uncover hidden entries:

				
					$registryPaths = @(
  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($path in $registryPaths) {
    Get-ItemProperty -Path $path | ForEach-Object {
        foreach ($property in $_.PSObject.Properties) {
            $value = $property.Value
            if ($value -match '[^\x20-\x7E]') {
                Write-Host "Possible XOR-obfuscated persistence: $($property.Name) => $value"
            }
        }
    }

This picked up some odd entries that didn’t correspond to legit software and were clearly mangled.

3. Detecting Randomized Beaconing

On the network side, I captured traffic using Wireshark and Zeek, looking for non-standard beacon intervals. ResolverRAT uses randomized timers, so I wrote a custom Zeek script to log irregular callback intervals:

				
					event connection_state_remove(c: connection) {
    local duration = c$duration;
    if ( duration < 60sec || duration > 300sec ) {
        print fmt("Irregular beaconing: %s -> %s (duration: %s)", c$id$orig_h, c$id$resp_h, duration);
    }
}

It didn’t take long to isolate traffic showing non-deterministic patterns to a C2 IP that resolved to a bulletproof hosting provider.

Final Thoughts

ResolverRAT is not just another piece of malware. It’s thoughtful, quiet, and clearly developed by people who know how to exploit gaps in modern defenses. What makes it truly dangerous is that it doesn’t rely on flashy tricks. It leverages overlooked parts of .NET, hides in memory, and communicates quietly enough to stay under the radar.

If you’re working in a high-risk industry or handling sensitive data, this is a wake-up call. Email security, behavioral analysis, and internal threat detection are more important than ever.

ResolverRAT is probably just the beginning. We’ll likely see more malware following this same model—low-profile, memory-resident, and dangerously effective.

You might be interested in this post: New ResolverRAT malware targets pharma and healthcare orgs worldwide
-BleepingComputers

Why Businesses Trust SecureMyOrg for Comprehensive Network Security

At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!

Some of the things people reach out to us for –

Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
DevSecOps consulting
Red Teaming activity
Regular security audits, before product release
Full time security engineers.