QuimaRAT: A New Cross-Platform Java RAT Emerges as a MaaS Offering
A sophisticated new Java-based Remote Access Trojan (RAT) dubbed **QuimaRAT** is now available on the cybercrime market as a Malware-as-a-Service (MaaS) offering. This highly modular threat targets Windows, Linux, and macOS environments, featuring a robust set of capabilities for persistent access and comprehensive system control. Cybersecurity researchers at **LevelBlue** have detailed its advanced evasion techniques and multi-platform deployment design.
Cybersecurity researchers have uncovered **QuimaRAT**, a novel Java-based remote access trojan (RAT) engineered to operate across Windows, Linux, and macOS environments.
**LevelBlue** reports that this cross-platform malware is being actively advertised under a Malware-as-a-Service (MaaS) model. Pricing ranges from $150 for a one-month subscription to $1,200 for lifetime access, with intermediate tiers available for three, six, and twelve months.
"Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure," the cybersecurity company stated in its analysis.
### Modular Design and Multi-Platform Reach
The malware author also offers a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS. This flexibility allows prospective customers to tailor the client for various environments and delivery scenarios.
The seller guarantees complete stealth on Windows and Linux, noting the absence of visible user interface elements or desktop entries. However, on macOS, the threat actor includes a caveat: features like screen capture and input control necessitate user-granted admin permissions.
Visitors to the **QuimaRAT** website are met with a pop-up message claiming the platform provides "offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments," warning against its use for "malicious, unauthorized, or illegal purposes."
### The Quima Suite: Four Potent Tools
The threat actor offers a suite of four distinct tools:
* **Quima Control** (aka **QuimaRAT**), a remote administration tool boasting 74 Windows and 46 macOS and Linux modules.
* **Quima Builder**, a modular builder and launcher toolkit supporting XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats.
* **Quima Loader**, a browser-cache payload delivery service designed to stage and deliver the malware payload.
* **Quima Dropper**, an HTML/SVG payload generator.
**Quima Loader** is particularly notable. It enables an operator to upload an EXE file via a dedicated panel and select a delivery format (e.g., HTA or LNK) and a landing page template (e.g., fake CAPTCHA check or software update alerts). This process generates a stager link that, when opened by a victim, initiates a sequence of actions:
1. The landing page loads, and the payload is fetched and held in the browser cache.
2. A download button appears.
3. Clicking it saves a "small, clean loader file" that is trusted by the browser.
4. The victim runs the loader, which reads the cached payload.
5. The main payload executes on the system, bypassing **SmartScreen** protections on Windows.
"A RAT, a builder suite, a web loader, and an HTML dropper β each built around what Windows already trusts," the author behind the **Quima** suite claims. "Native execution paths, system-owned resources, clean outputs. AV [antivirus] sees nothing unusual. Neither does the user."

### Technical Deep Dive and Evasion
**LevelBlue**'s analysis indicates that **QuimaRAT** is structured as a modular Java project built with **Apache Maven**. It incorporates embedded **Java Native Access (JNA)** native libraries for Windows, Linux, and macOS across various architectures. The malware decodes and parses an internal configuration file vital for environment validation, persistence installation, and C2 initialization.
Researchers Chen Aviani and Nikita Kazymirskyi noted, "These native components allow the RAT to interact directly with low-level operating system APIs through C/C++ code, indicating intentional support for broad multi-platform deployment."
Before execution, the malware ensures only one instance is running by creating a lock file in the operating system's temporary directory. If another instance holds the lock, it terminates execution.
**QuimaRAT** determines the current operating system to dictate its actions, including evading sandboxed and virtual environments, establishing persistence, and delivering the main payload. It also supports executing an additional embedded payload or decoy application if the "Binder" functionality is enabled.
Persistence is achieved using OS-specific methods:
* **Windows**: Registry Run keys, Scheduled tasks, and the Startup folder.
* **Linux**: .desktop autostart entries and crontab reboot tasks.
* **macOS**: A LaunchAgent plist file.
The Trojan also features an optional **Pastebin**-based C2 host update mechanism, allowing operators to dynamically rotate or replace C2 infrastructure without rebuilding and redistributing the payload.
### Comprehensive Control and Resilient Communication
The primary objective of **QuimaRAT** is to establish communication with its C2 server over TCP (or alternately via WebSocket, TLS, and HTTPS) to receive and execute commands. A watchdog component ensures the channel remains active, reconnecting if contact is lost.
"**QuimaRAT** maintains an internal shutdown state flag used to control whether the RAT should continue performing networking, reconnect, watchdog, and recovery operations," the researchers explained. "This mechanism allows **QuimaRAT** to stop reconnecting, watchdog, and communication recovery operations after shutdown mode is activated."
The malware offers a broad spectrum of capabilities, including remote command execution, remote payload and plugin delivery, credential theft, file transfer, clipboard manipulation, and webcam surveillance, providing attackers extensive control over infected systems.
Beyond these standard RAT features, **QuimaRAT** facilitates fileless shellcode execution on Windows hosts and boasts a resilient communication framework for persistent access.
**LevelBlue** concludes, "**QuimaRAT** should be viewed as a modular Java RAT platform rather than a single static implant. ProGuard-class obfuscation indicators, Maven Shade relocation, preserved runtime symbols, and synthetic string decryptors further support the assessment that **QuimaRAT** is designed to rotate static fingerprints without changing its core behavior."