ResolverRAT

ResolverRAT is a .NET-based remote access trojan (RAT) observed in a broad cybercrime campaign active since at least November 2025. It provides persistent backdoor access to infected systems and has been deployed alongside other malware families including LummaStealer, PureRAT, PureHVNC, PureLogs Stealer, and ClearFake/ClickFix infrastructure. In one documented March 2026 case, a 605,184-byte PE32 Mono/.NET executable decrypted from a Donut loader delivered both ResolverRAT and LummaStealer in a dual-payload package, giving operators both persistent access and credential theft capability.

The malware has been described as targeting healthcare and pharmaceutical organizations, including via phishing and DLL side-loading, and reporting also links the broader campaign to fake browser update lures associated with ClearFake/ClickFix. The analyzed attack chain used a Donut in-memory loader to execute an obfuscated .NET payload entirely in memory. The loader employed multiple protection layers including Donut, .NET Reactor obfuscation, a custom preprocessing stage, AES-256-CBC, and GZip decompression. Researchers also observed process hollowing for payload injection and runtime reconstruction of WinAPI names such as VirtualAlloc and WriteProcessMemory to evade static detection.

ResolverRAT uses encrypted command-and-control communications. Reported protections and communications features include HTTPS C2, RSA key exchange, AES-encrypted channels, and certificate pinning with 14 embedded SHA-256 certificate fingerprints. The malware was observed communicating over TCP port 56001, and broader related samples also referenced ports 443, 8443, 56001, 4782, 1337, 7777, 9090, 5555, 6666, and 4444. The .NET payload stored an encrypted configuration blob in resources and decrypted it through a Base64 decode, MD5-derived keying, AES-CBC decryption, and GZip decompression chain. Additional imported cryptographic functionality included RijndaelManaged, TripleDES, and RSACryptoServiceProvider.

The analyzed sample used randomized metadata and anti-analysis measures, including .NET Reactor obfuscation, GUID-named configuration fields, randomized assembly and namespace names, merged assemblies, and a forged compilation timestamp of 2052-03-03 01:23:11 UTC. The primary sample discussed in the reporting had SHA-256 87053d0ad81ac3367ef5e6305f4cf4eec11776e94971f3f54bc66eaddf756eb5 and imphash f34d5f2d4577ed6d9ceec516c1f5a744.

Associated infrastructure spanned at least 22 C2 IP addresses, 8 domains, more than 12 hosting providers, and at least 8 countries. ResolverRAT-specific C2 infrastructure was reported on port 56001, with identified IPs including 88[.]214[.]50[.]195, 64[.]188[.]91[.]191, 109[.]120[.]137[.]101, and 193[.]111[.]117[.]0. Additional campaign infrastructure and domains mentioned in reporting include kampf[.]huehnchenfarm[.]ru, 45[.]141[.]119[.]34, pat[.]microsoft-telemetry[.]at, windirautoupdates[.]top, stathub[.]quest, mktblend[.]monster, stategiq[.]quest, dsgnfwd[.]xyz, and dndhub[.]xyz. Attribution in the reporting was low to medium confidence and suggested an experienced financially motivated cybercrime operator or cluster, citing German-language domain artifacts, Austrian TLD abuse, and Russian-linked infrastructure.