Researchers Detail Java-Based QuimaRAT Malware Platform for Windows, Linux, and macOS
Cybersecurity researchers have identified a new remote access trojan called QuimaRAT that is written in Java and designed to operate across Windows, Linux, and macOS systems. According to an analysis...
Cybersecurity researchers have identified a new remote access trojan called QuimaRAT that is written in Java and designed to operate across Windows, Linux, and macOS systems. According to an analysis from LevelBlue, the malware is being sold as a malware-as-a-service offering, with subscription prices ranging from $150 for a month of access to $1,200 for a lifetime license.
The researchers say QuimaRAT is built as a modular platform that can load encrypted plugins from its command-and-control infrastructure. The operator also advertises a builder that can produce several file types, including JAR, EXE, APP, SH, BAT, and VBS, suggesting the service is meant to support a variety of delivery methods and victim environments.
Platform and delivery features
In addition to the main RAT, the seller promotes a small toolkit under the Quima name that includes a builder, a loader, and a dropper. One notable component uses a browser-cache delivery technique: a victim visits a landing page, the payload is stored in the browser cache, and a separate small file is downloaded to fetch and run the cached malware later. The campaign pages may impersonate common lures such as CAPTCHA checks or software update prompts.
- Cross-platform support for Windows, Linux, and macOS
- Subscription-based pricing with multiple tiers
- Modular plugins delivered from C2 servers
- Persistence mechanisms tailored to each operating system
LevelBlue says the codebase appears to be a Java project built with Apache Maven and includes native libraries through Java Native Access to interact with low-level operating system functions. The malware also checks for existing instances before running, uses a lock file to avoid duplicate execution, and can attempt to detect sandboxed or virtualized environments.
Once active, QuimaRAT can maintain persistence through registry keys, scheduled tasks, startup folders, Linux autostart files, cron entries, and macOS LaunchAgents. It can communicate with its operators over TCP, WebSocket, TLS, or HTTPS, and includes a watchdog mechanism to reconnect if the link is lost.
The malware’s capabilities include remote command execution, file transfer, clipboard manipulation, credential theft, webcam access, and plugin delivery. Researchers also noted support for fileless shellcode execution on Windows and signs of obfuscation intended to make static detection harder.
