Update: ResolverRAT; Advanced Memory-Resident Malware Targets Healthcare and Pharma
ResolverRAT is a newly identified remote access trojan that has emerged as a distinct and sophisticated threat, first spotted in March 2025. It’s specifically targeting healthcare and pharmaceutical organizations, using regionally tailored phishing campaigns to gain initial access. The lures are written in several languages and often reference copyright violations or legal issues to manipulate users into executing a bundled file. Infection begins through DLL side-loading, where a decoy application launches a hidden [.]NET-based loader designed to avoid detection. This loader decrypts and executes the final payload entirely in memory, leaving no files behind and bypassing common endpoint protections. Its encryption routines use AES-256 with keys decoded only at runtime, while its control flow is heavily obfuscated, making reverse engineering difficult. ResolverRAT also abuses a [.]NET framework feature called ResourceResolve to stealthily inject its payload without altering the file headers or triggering known indicators. The malware establishes persistence by embedding itself in multiple directories and scattering up to 20 heavily obfuscated registry entries, ensuring it survives reboots and remains hidden. Its command-and-control traffic is routed through a custom protocol using common ports to blend in with regular traffic. ResolverRAT employs certificate pinning to avoid SSL inspection and rotates IPs frequently to maintain connectivity even if its primary infrastructure is blocked. For data theft, it uses Google Protocol Buffers to serialize data and transfer stolen files in small chunks only when network sockets are idle, reducing the chance of detection. It’s multi-threaded, allowing it to execute tasks in parallel while staying responsive and stable. Though it shares some distribution methods with other known info-stealers, its use of unique execution, memory-resident payloads, and evasion techniques mark it as a distinct malware family. Its targeting of high-value sectors with strong persistence and stealth capabilities makes ResolverRAT a high-priority concern for defenders.
JokerOTP Takedown: Law Enforcement Dismantles Major Phishing Operation
Authorities from the U.K. and the Netherlands have successfully dismantled JokerOTP, a cybercrime platform responsible for over 28,000 phishing attacks across 13 countries. A 24-year-old man in Middlesbrough and a 30-year-old man in the Netherlands were arrested in coordinated raids in a three-year investigation led by the U.K.’s Cleveland Police, with support from NCA, Europol, and Dutch law enforcement. The platform enabled cybercriminals to intercept one-time passcodes and personal information from victims, which were then used to bypass multi-factor authentication and drain financial accounts. Losses tied to JokerOTP are estimated at £7.5 million, with thousands of victims affected across banking and personal platforms. Investigators believe the operation played a key role in enabling large-scale fraud by offering a ready-made phishing service for criminals with limited technical skills. The takedown also involved working with hosting providers to take the infrastructure offline and disrupt any continued use. Authorities warned users of JokerOTP that they are under investigation, suggesting further arrests are likely. JokerOTP had operated with a degree of sophistication, offering bot services designed to help cybercriminals impersonate victims and capture authentication credentials in real-time. Dutch police joined the probe in 2024, providing key intelligence contributing to the arrests. The operation reflects growing cooperation between international agencies in tackling cybercrime infrastructure and targeting the ecosystem that enables fraud-as-a-service. Officials are urging anyone affected or involved to come forward as the investigation continues, reinforcing that law enforcement is closing in on users of these platforms, not just the developers behind them.
Update: Spike in Malicious Git Scanning Exposes Widespread Risks to Development Infrastructure
Threat intelligence data from GreyNoise has revealed an aggressive new wave of reconnaissance activity targeting exposed .git directories on public-facing web servers. Between April 20 and 21, over 4,800 unique IP addresses were detected attempting to access Git configuration files—a record spike that signals growing attacker interest in exploiting developer infrastructure. These directories, when left accessible, expose a wide range of sensitive data, including repository URLs, internal branch names, development workflows, and sometimes even hardcoded credentials or access tokens buried in the commit history. This information gives attackers everything they need to clone codebases, reverse engineer internal systems, and plan follow-on attacks more precisely. Unlike other scanning forms, this behavior is deliberate, recurring, and focused on high-value developer assets often overlooked in routine security reviews. Analysis of the scanning activity shows that most malicious IPs are hosted by large-scale cloud providers like Cloudflare, Amazon, and DigitalOcean, indicating that attackers are using disposable infrastructure to automate and distribute reconnaissance. Singapore emerged as the most targeted and active source country, followed closely by the U.S., Germany, the U.K., and India. This global distribution and intensity suggest organized threat actors are mapping vulnerable Git repositories across regions to identify soft targets at scale. GreyNoise noted this is the fourth spike since late 2024, with each wave increasing in size and sophistication. The risks extend beyond code theft—attackers can harvest exposed credentials, tamper with DevOps pipelines, or plant malicious code if access goes unnoticed. Organizations should audit their web server configurations immediately to ensure .git directories are not publicly accessible, monitor logs for repeated probing attempts, and rotate any credentials potentially exposed through misconfigured repositories.
