**New Article: QuimaRAT – A Cross‑Platform Java‑Based Remote Access Trojan Offered as a MaaS**
Security researchers have identified a new Java‑based remote access trojan (RAT) named QuimaRAT that targets Windows, Linux, and macOS systems. The malware is being promoted through a malware‑as‑a‑service (MaaS) model, with subscription pricing ranging from $150 for one month up to $1,200 for lifetime access, and intermediate tiers such as $300 for three months, $500 for six months, and $700 for twelve months.
According to analysis by LevelBlue, QuimaRAT is built on a modular architecture that supports dynamic capability expansion via encrypted plugins delivered, loaded, unloaded, and updated directly from its command‑and‑control (C2) infrastructure. The author also provides a builder capable of generating multiple output formats—including JAR, EXE, APP, SH, BAT, and VBS—allowing customers to tailor the client for different environments and delivery scenarios.
The seller claims complete stealth on Windows and Linux, with no visible user interface elements or desktop entries. On macOS, some features such as screen capture and input control require user‑granted administrative permissions. The threat actor’s website disclaims that the platform is intended exclusively for professional security research, authorized penetration testing, and controlled educational environments, while warning against malicious, unauthorized, or illegal use.
Four tools are offered as part of the Quima suite:
– **Quima Control** (the RAT itself), with 74 Windows modules and 46 macOS/Linux modules
– **Quima Builder**, a modular builder and launcher toolkit supporting formats such as XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM
– **Quima Loader**, a browser‑cache payload delivery service that stages and delivers malware payloads via stagers hosted on fake CAPTCHA pages or software‑update alerts
– **Quima Dropper**, an HTML/SVG payload generator
Quima Loader is particularly notable for its ability to fetch a payload into the browser cache, display a fake Download button, save a trusted “clean loader file,” and then execute the main payload while bypassing SmartScreen protections on Windows.
LevelBlue notes that QuimaRAT is organized as a modular Java project built with Apache Maven, incorporating embedded Java Native Access (JNA) native libraries for Windows, Linux, and macOS across various architectures. An internal configuration file is decoded and parsed to handle environment validation, persistence installation, and C2 initialization. These native components enable direct interaction with low‑level operating system APIs, suggesting intentional broad multi‑platform support.
Before execution, the malware ensures only a single instance runs on the infected machine by creating an OS‑level lock file in the temporary directory and terminating any competing instance. It determines the operating system name to guide subsequent actions, including evasion of sandboxed or virtual environments, persistence establishment, and payload delivery. An optional “Binder” feature allows execution of an additional embedded payload or decoy application.
Persistence is established through OS‑specific mechanisms: Registry Run keys, Scheduled tasks, and the Startup folder on Windows; .desktop autostart entries, crontab reboot tasks, and LaunchAgent plist files on Linux and macOS. The Trojan also includes an optional Pastebin‑based C2 host update mechanism, allowing operators to rotate or replace C2 infrastructure without rebuilding or redistributing the payload.
QuimaRAT communicates with the C2 server over TCP, WebSocket, TLS, or HTTPS, and includes a watchdog component to maintain channel activity and reconnect if the connection is lost. An internal shutdown state flag enables the RAT to cease networking, reconnections, and recovery operations when activated.
The malware supports a wide range of capabilities, including remote command execution, remote payload and plugin delivery, credential theft, persistence, file transfer, clipboard manipulation, and webcam surveillance. It also facilitates fileless shellcode execution on Windows hosts and employs a resilient communication framework for persistent access. Researchers emphasize that QuimaRAT should be viewed as a modular Java RAT platform rather than a single static implant, with obfuscation, relocated Maven dependencies, preserved runtime symbols, and synthetic string decryptors all designed to rotate static fingerprints without altering core behavior.
—
**Source:**
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that’s capable of targeting Windows, Linux, and macOS environments. *LevelBlue*. Retrieved from the original article: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVcOvCD8qFylCqOCpN8Rnl9cnxNkIeGxNbVKzlsKXY_7Nuw2xvYsckNEHKVM5ntvT2JAureArFIyApOvGLu52wpCG1xbHO8Y5xBmOAkSI3RoyEegmlNxs_gJip32Uzv_inXS7seOeRB1d3mw9SNIggoqgIApupRF2etBx5U_IFkuQz4_WNBL0Q1oi1l77q/s1600/javarat.jpg



