Full Report
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for
Analysis Summary
This summary is based on the cybersecurity research provided regarding QuimaRAT and its associated suite of tools.
# Tool/Technique: QuimaRAT (and the Quima Suite)
## Overview
QuimaRAT is a cross-platform, Java-based Remote Access Trojan (RAT) sold under a Malware-as-a-Service (MaaS) model. It is designed for modularity, allowing operators to deploy various encrypted plugins for specific tasks across Windows, macOS, and Linux environments. The suite includes builders, loaders, and droppers specifically designed to bypass modern browser and operating system security controls.
## Technical Details
- **Type:** Malware Family (RAT / MaaS)
- **Platform:** Windows, macOS, Linux (Arm64/x64 architectures)
- **Capabilities:** Modular architecture, cross-platform compatibility via Java/JNA, persistence, sandbox evasion, and dynamic plugin loading.
- **First Seen:** July 2026 (Reported date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Via Quima Loader stager links)
- **[TA0002 - Execution]**
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- [T1204.002 - User Execution: Malicious File]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1497 - Virtualization/Sandbox Evasion] (Checks environment before full execution)
- [T1027.002 - Obfuscation: Software Packing] (Encrypted plugins)
- [T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass] (Quima Loader mechanics)
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols] (C2 communication)
## Functionality
### Core Capabilities
- **Multi-Platform Support:** Uses Java Native Access (JNA) to interact with low-level OS APIs on Windows, Linux, and macOS.
- **Modular Delivery:** Supports 74 modules for Windows and 46 modules for macOS/Linux.
- **Single Instance Check:** Uses a lock file in the system temp directory to ensure only one instance runs at a time.
- **Environment Validation:** Identifies the OS and checks for sandboxes/VMs before proceeding with infection.
### Advanced Features
- **Quima Loader:** A browser-cache delivery service that stages payloads in the browser to bypass SmartScreen and "untrusted file" warnings.
- **Quima Builder:** Generates multiple file formats (JAR, EXE, SH, LNK, XLL) to tailor the attack to the target environment.
- **Dynamic Plugin Loading:** Encrypted plugins can be loaded, unloaded, or updated directly from the C2 infrastructure without redistributing the main client.
## Indicators of Compromise
- **File Hashes (SHA256):** `bb0fbcb1e47ec04aa55555f3769fbc6f09694de1e9baae59260356b26b5af6a7` (QuimaRAT Sample)
- **File Names:** `QuimaControl.jar`, `loader.exe`, various stager files (e.g., `.lnk`, `.hta`, `.vbs`).
- **Behavioral Indicators:** Creation of a unique lock file in the OS temporary directory; Java processes making unexpected outbound network connections.
## Associated Threat Actors
- **Status:** Unnamed/Emerging. The malware is currently attributed to a developer selling the suite on "offensive security" forums under a MaaS model.
## Detection Methods
- **Behavioral Detection:** Monitoring for the execution of Java processes that interact with native OS APIs (JNA) unexpectedly or attempt to modify registry run keys.
- **Network Monitoring:** Inspecting traffic for connections to known C2 domains or unusual encrypted traffic over HTTP/S.
- **Lock File Monitoring:** Detecting the creation of specific Mutex-like files in the `/tmp` or `%TEMP%` directories.
## Mitigation Strategies
- **Endpoint Hardening:** Disable unnecessary script interpreters (VBS, JS, PowerShell) and restrict the execution of JAR files by end-users.
- **Browser Security:** Implement strict download policies and educate users on the risks of "Fake CAPTCHA" or "Update" prompts.
- **Access Control:** Enforce the principle of least privilege; QuimaRAT explicitly notes that macOS administrative features require user-granted permissions.
## Related Tools/Techniques
- **AdWind / JSocket:** Previous examples of high-profile Java-based cross-platform RATs.
- **HTML Smuggling:** Technique similar to that used by Quima Dropper for delivering payloads via SVG/HTML.