Mastodon Mastodon Mastodon Mastodon

Inside QuimaRAT, a MaaS Java RAT for Windows, Linux and macOS

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers at LevelBlue have identified a new cross-platform remote access trojan QuimaRAT, written in Java and targeting Windows, Linux and macOS. The malware is distributed under a malware-as-a-service (MaaS) model, with subscription prices ranging from $150 per month to $1,200 for lifetime access. QuimaRAT is not a single implant but an entire platform of four tools with a modular architecture, plug-in system and multiple persistence mechanisms. Organizations operating heterogeneous environments should review indicators of compromise and update their detection rules.

Architecture and technical characteristics

According to the LevelBlue analysis, QuimaRAT is built as a modular Java project based on Apache Maven. A key feature is the inclusion of Java Native Access (JNA) libraries for Windows, Linux and macOS across different processor architectures. These native components allow the trojan to interact with low-level operating system APIs via C/C++ code, enabling fully fledged multi-platform operation.

The modular architecture supports dynamic expansion of functionality through encrypted plug-ins that are delivered, loaded, unloaded and updated directly from the command-and-control (C2) infrastructure. According to the researchers, Quima Control (the main RAT component) includes 74 modules for Windows and 46 modules for macOS and Linux.

Before execution, QuimaRAT creates a lock file in the OS temporary directory to prevent multiple instances from running simultaneously. The trojan then determines the current operating system and, based on that, selects its sandbox and virtual machine evasion strategy, persistence mechanism and method for delivering the main payload.

Persistence mechanisms

QuimaRAT uses OS-specific persistence methods:

  • Windows: Run registry keys, Scheduled Tasks, Startup folder
  • Linux: .desktop autostart entries, crontab jobs tied to reboot
  • macOS: plist file in LaunchAgent

In addition, the trojan supports a Binder feature — when enabled in the configuration, an embedded secondary payload or decoy application is launched alongside the main RAT process.

C2 infrastructure and communications

QuimaRAT establishes a connection to the C2 server over TCP and also supports alternative channels: WebSocket, TLS and HTTPS. A built-in watchdog component monitors the activity of the communication channel and automatically restores the connection if it is lost. An internal shutdown state flag controls whether reconnection and recovery operations should continue after a shutdown mode has been triggered.

An optional mechanism for updating the C2 server address via Pastebin deserves special attention. This configuration-controlled feature enables the operator to dynamically change or rotate the C2 infrastructure without having to rebuild and redistribute the payload.

The Quima tool ecosystem

QuimaRAT is part of a broader ecosystem that includes four tools:

  • Quima Control — the primary remote access trojan
  • Quima Builder — a modular builder and launcher kit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL and CHM formats
  • Quima Loader — a payload delivery service via the browser cache with support for landing page templates (fake CAPTCHA checks, software update notifications)
  • Quima Dropper — a payload generator for HTML and SVG formats

The builder can generate output files in JAR, EXE, APP, SH, BAT and VBS formats, adapting the client to different environments and delivery scenarios. The pricing model includes intermediate tiers: $300 for three months, $500 for six months and $700 for a year.

The platform’s website includes a disclaimer stating that the tools are intended “solely for professional security research, authorized penetration testing and controlled educational environments.” Such disclaimers are typical for malware vendors and carry no legal weight.

Capabilities and functionality

According to LevelBlue, QuimaRAT supports a wide range of capabilities:

  • Remote command execution
  • Delivery of remote payloads and plug-ins
  • Credential theft
  • File transfer
  • Clipboard manipulation
  • Webcam surveillance
  • Fileless shellcode execution on Windows hosts

The researchers note indicators of ProGuard-style class obfuscation, Maven Shade relocation, preserved runtime symbols and synthetic string decryptors. All of this indicates that QuimaRAT is designed to rotate static signatures without changing its core behavior — a serious obstacle for traditional signature-based detection.

Indicators of compromise

The hash of a sample associated with QuimaRAT is available for inspection on VirusTotal:

  • SHA-256: bb0fbcb1e47ec04aa55555f3769fbc6f09694de1e9baae59260356b26b5af6a7

Impact assessment and recommendations

The cross-platform nature of QuimaRAT makes it potentially dangerous for organizations with heterogeneous infrastructure — especially companies that simultaneously use Windows workstations, Linux servers and Apple devices. The MaaS model lowers the barrier to entry for attackers: even low-skilled operators gain access to advanced tooling.

It should be taken into account that a number of claims about QuimaRAT’s capabilities (in particular, complete invisibility to antivirus software and bypassing SmartScreen) come from the vendor’s marketing materials and have not been independently verified. The real effectiveness of its detection evasion may differ from what is advertised.

For protection, it is recommended to:

  • Add the specified hash to EDR and SIEM detection rules
  • Monitor the creation of lock files in OS temporary directories in combination with network connections to atypical external hosts
  • Monitor unusual autostart entries: Run registry keys, .desktop files, crontab entries and LaunchAgent plist files
  • Track access to Pastebin from the corporate network — such traffic may indicate use of the C2 update mechanism
  • Block execution of JAR files from untrusted sources and limit use of Java Runtime Environment on workstations where it is not required
  • Inspect outbound TCP connections as well as WebSocket and HTTPS traffic for anomalous patterns characteristic of C2 communications

QuimaRAT exemplifies a growing trend toward creating fully fledged malicious platforms with a service-based distribution model. The key actions for security teams now are to integrate the published indicator of compromise into detection systems, strengthen monitoring of autostart mechanisms on all three platforms, and restrict uncontrolled execution of Java applications in the corporate environment.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.