Full Report
Remote access trojans (RATs) are legacy threats that continue to evolve alongside an expanding and ever-changing threat landscape. Following our recently published articles about novel and notable RATs, including KarstoRAT, the latest version of ClickFix, and ClickFix’s macOS variant, we analyzed QuimaRAT, a novel Java-based RAT that targets Windows, Linux, and macOS environments and is currently being sold on the dark web as a subscription-based RAT platform.
Analysis Summary
# Tool/Technique: QuimaRAT
## Overview
QuimaRAT is a novel, cross-platform Remote Access Trojan (RAT) written in Java. It is currently marketed as a Malware-as-a-Service (MaaS) offering on dark web forums. The malware is designed for high modularity, utilizing the Java Virtual Machine (JVM) to target Windows, Linux, and macOS environments simultaneously. It is characterized by its sophisticated evasion techniques, tiered subscription pricing, and extensive command protocol.
## Technical Details
- **Type:** Malware Family (Remote Access Trojan)
- **Platform:** Windows, Linux, and macOS (Multi-platform via Java SE 8)
- **Capabilities:** Information theft, remote execution, modular plugin loading, persistence, and anti-analysis.
- **First Seen:** Publicly documented June 2026 (Advertised as v2.0).
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059 - Command and Scripting Interpreter]
- [T1203 - Exploitation for Client Execution]
- **[TA0003 - Persistence]**
- [T1547 - Boot or Logon Autostart Execution]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1497 - Virtualization/Sandbox Evasion]
- [T1140 - Deinterlace/Decrypt Files or Information]
- **[TA0011 - Command and Control]**
- [T1071 - Application Layer Protocol]
- [T1573 - Encrypted Channel]
## Functionality
### Core Capabilities
- **Cross-Platform Compatibility:** Uses Java and embedded Java Native Access (JNA) libraries specific to various architectures (x86/x64) and OS types.
- **Configuration Management:** Employs an encrypted internal `config.dat` file decrypted via a repeating-key XOR routine at runtime.
- **Single Instance Verification:** Prevents multiple infections on one host by creating and locking a `.lock` file in the OS temporary directory using `FileLock`.
- **C2 Communication:** Utilizes standard `HANDSHAKE` and `HEARTBEAT` commands to maintain persistent connection resilience.
### Advanced Features
- **Highly Modular Architecture:** Built using Apache Maven with multiple `pom.xml` files, allowing for "70+ modules" as advertised by the developer.
- **Anti-Analysis:** Performs OS-specific checks for virtualization and sandbox environments prior to full execution.
- **Massive Command Set:** Features 23 fully implemented core commands and 212 protocol-only reserved commands, suggesting significant scalability for fileless payloads and runtime module injections.
- **Encryption:** Adverts claim the use of AES-256 for secure data transmission.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific MD5/SHA256 hashes were not provided in the source text; analysis of the JAR is required)*.
- **File Names:**
- `config.dat` (Encrypted configuration embedded in JAR)
- `.lock` (Used in the OS temp directory for instance locking)
- **Network Indicators:**
- Encrypted C2 traffic (reported as using AES-256).
- C2 Servers: [hxxtps://<defanged_C2_host>]
- **Behavioral Indicators:**
- High volume of JNA library extraction to temporary folders.
- Repeated attempts to access/lock files in the system's temporary directory.
- OS-specific persistence registry keys or startup script modifications.
## Associated Threat Actors
- Sold as a platform on Dark Web forums; used by various individual affiliates under the **Malware-as-a-Service (MaaS)** model.
## Detection Methods
- **Behavioral Detection:** Monitor for JAR files attempting to lock files in localized temporary directories or performing unexpected environmental checks (system discovery).
- **Network Detection:** Identify non-standard encrypted traffic originating from Java processes.
- **Signature-based:** Detection of Java Native Access (JNA) libraries bundled within suspicious JAR archives.
## Mitigation Strategies
- **Runtime Hardening:** Only allow signed Java applications and restrict access to the Java Runtime Environment (JRE) to necessary business applications.
- **Endpoint Protection:** Use EDR solutions capable of inspecting Java process memory and detecting fileless payload execution.
- **Network Filtering:** Restrict outbound traffic to known-good domains and monitor for unusual encrypted payloads on standard ports.
## Related Tools/Techniques
- **KarstoRAT:** Another novel RAT recently analyzed for its stealth.
- **ClickFix:** Known for multi-platform delivery via social engineering.
- **AdWind / Jrat:** Legacy Java-based cross-platform RATs with similar modular architectures.