Hacking

QuimaRAT Java RAT Targets Windows Linux macOS

Published  ·  5 min read

QuimaRAT, which is a new form of Java-based Remote Access Trojan, can attack systems running on Windows, Linux, and macOS platforms. The malware is offered under a malware-as-a-service concept and comes in subscriptions, starting from $150 per one month to $1,200 for lifetime usage.

The malware was analyzed by LevelBlue and identified that it operates using a modular design. The Remote Access Trojan can expand capabilities dynamically using plugins that are encrypted and managed by its C&C infrastructure.

Furthermore, the malware writer provides a builder that is able to produce different types of outputs including JAR, EXE, APP, SH, BAT, and VBS. This is indicative of the efforts of the malware creator in helping clients package the client according to their environment.

The Seller's Claims

The seller guarantees full stealth operation on Windows and Linux operating systems with no presence of any user interface or desktop entries. On macOS, however, certain features like screen capture and input control require user-granted admin permissions.

Visiting the seller's website presents a disclaimer: the platform "provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments." It warns against using it for "malicious, unauthorized, or illegal purposes."

The Toolset

The threat actor offers four tools:

  • Quima Control (QuimaRAT): A remote administration tool with 74 Windows modules and 46 macOS and Linux modules.
  • Quima Builder: A modular builder and launcher toolkit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats.
  • Quima Loader: A browser-cache payload delivery service to stage and deliver the malware payload.
  • Quima Dropper: An HTML/SVG payload generator.

The Browser-Cache Delivery Chain

Quima Loader is particularly noteworthy. It allows an operator to upload an EXE file through a dedicated panel and select a delivery format (HTA or LNK) and a landing page template (fake CAPTCHA check or software update alerts). The tool generates a stager link.

When the victim opens the link in their browser, the following sequence occurs:

  • The landing page loads, and the payload is fetched and held in the browser cache.
  • A Download button appears on the page.
  • Clicking it saves a "small, clean loader file" trusted by the browser.
  • The target runs the loader, which reads the cached payload.
  • The main payload executes on the system, bypassing SmartScreen protections on Windows.

The author behind the Quima suite claims: "A RAT, a builder suite, a web loader, and an HTML dropper, each built around what Windows already trusts. Native execution paths, system-owned resources, clean outputs. AV sees nothing unusual. Neither does the user."

Technical Architecture

QuimaRAT is organized as a modular Java project built using Apache Maven. It contains embedded Java Native Access native libraries for Windows, Linux, and macOS across various architectures. It is responsible for decoding and parsing the internal configuration file that is required for validating the environment, installing persistence, and initializing the C2 connection.

The native modules enable the RAT to communicate directly with operating system APIs using C/C++ programming language.

Anti-Analysis and Resilience

Prior to the execution of the malicious software, it checks to make sure that there is just one instance being run. This malware creates a lock file in the temporary directory of the operating system and makes sure no other process can use it.

QuimaRAT checks for the name of the currently running OS to define its next steps, which include:

  • Evasion of sandboxed/virtualized environments
  • Persistence 
  • Main payload delivery

Additionally, the malware supports the execution of another embedded payload or a decoy application alongside the main RAT via a functionality known as Binder.

Methods of persistence differ based on the operating system used:

  • Windows: Registry Run keys, scheduled tasks, startup folder
  • Linux: .desktop autostart files, crontab reboot tasks
  • macOS: LaunchAgent plist file

Command and Control Communication

The QuimaRAT malware contains a configurable feature to allow for a dynamic rotation or replacement of the C2 network without needing to recompile the payload. The method used is Pastebin C2 server update.

The malware uses TCP, WebSockets, TLS, or HTTPS for C2 communication. A watchdog component ensures the channel remains active and reconnects if contact is lost.

Capabilities

QuimaRAT supports a wide range of capabilities:

  • Remote command execution
  • Remote payload and plugin delivery
  • Credential theft
  • Persistence
  • File transfer
  • Clipboard manipulation
  • Webcam surveillance
  • Fileless shellcode execution on Windows hosts
  • Resilient communication framework for persistent access

The Bottom Line

The QuimaRAT cross-platform malware-as-a-service campaign represents a polished commercial offering. A Java RAT with modular plugins. A builder for multiple output formats. A browser-cache delivery system that bypasses SmartScreen. Persistent access across every major operating system.

The seller claims it is for legitimate security research. The capabilities suggest otherwise.

Monitor for suspicious Java processes. Review persistence mechanisms. And treat browser-cache payload delivery as a new attack vector.

FAQ Section

What is QuimaRAT?

QuimaRAT is a Java-based cross-platform remote access trojan sold as malware-as-a-service. It targets Windows, Linux, and macOS.

How much does it cost?

There is a monthly subscription at the price of $150, while lifetime subscription costs $1,200. There are other options such as $300 for three months, $500 for six months, and $700 for twelve months.

What software does the suite contain?

The suite contains Quima Control (RAT), Quima Builder, Quima Loader (browser cache-based delivery tool), and Quima Dropper (HTML/SVG payload generator).

How does Quima Loader work?

It creates a stager URL. Once the victim clicks on the URL, the payload gets cached in the browser, a clean loader gets downloaded and the loader executes the cached payload.

What are the targets?

Windows, Linux, and macOS. The malware employs Java Native Access libraries for low-level OS API communication.

What should I do?

Keep an eye out for any suspicious java processes and also for any browser cache payload delivery lures like a false CAPTCHA page.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067