
Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments.
According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months.
"Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure," the cybersecurity company said in an analysis of the malware.
The malware author also advertises a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS, indicating an attempt to help prospective customers package the client tailored for different environments and delivery scenarios.
The seller's post guarantees complete stealth on Windows and Linux, noting there are no visible user interface elements or desktop entries. On macOS, however, the threat actor includes a caveat that certain features like screen capture and input control require "user-granted admin permissions."
Visiting their website, users are greeted by a pop-up message that states the platform "provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments," warning them against using it for "malicious, unauthorized, or illegal purposes."
In all, the threat actor offers four tools -
- Quima Control (aka QuimaRAT), a remote administration tool with 74 Windows and 46 macOS and Linux modules
- Quima Builder, a modular builder and launcher toolkit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats
- Quima Loader, a browser-cache payload delivery service to stage and deliver the malware payload
- Quima Dropper, an HTML/SVG payload generator
Quima Loader, particularly, is noteworthy, as it allows an operator to upload an EXE file through a dedicated panel and select a delivery format (e.g., HTA or LNK) and a landing page template (e.g., fake CAPTCHA check or software update alerts), after which the tool generates a stager link that, when opened by the victim in the browser, initiates the following sequence of actions, per the malware developer -
- The landing page is loaded, and the payload is fetched and held in the browser cache.
- A Download button appears on the page.
- Clicking it saves a "small, clean loader file" that's trusted by the browser.
- Target runs the loader, which reads the cached payload.
- The main payload gets executed on the system, while bypassing SmartScreen protections on Windows.
"A RAT, a builder suite, a web loader, and an HTML dropper — each built around what Windows already trusts," the author behind the Quima suite claims on their website. "Native execution paths, system-owned resources, clean outputs. AV [antivirus] sees nothing unusual. Neither does the user."

LevelBlue's analysis suggests that QuimaRAT is organized as a modular Java project built using Apache Maven, while containing embedded Java Native Access (JNA) native libraries for Windows, Linux, and macOS across various architectures. It also decodes and parses an internal configuration file necessary for environment validation, persistence installation, and C2 initialisation.
"These native components allow the RAT to interact directly with low-level operating system APIs through C/C++ code, indicating intentional support for broad multi-platform deployment," researchers Chen Aviani and Nikita Kazymirskyi said.
Before execution, the malware ensures only one instance of the trojan is running on the infected machine at any given point in time. It achieves this by creating a lock file within the operating system's temporary directory and preventing other processes from using it simultaneously. If it detects that another RAT instance is already holding the lock to the file, it terminates execution.
QuimaRAT is designed to determine the current operating system name, using it to dictate the next course of action, including evading sandboxed and virtual environments, establishing persistence, and serving the main payload. Furthermore, it supports the ability to execute an additional embedded payload or decoy application along with the main RAT process if the functionality, named Binder, is enabled through the configuration.
The malware sets up persistence using a variety of operating system-specific methods: Registry Run keys, Scheduled tasks, and the Startup folder for Windows, .desktop autostart entries and crontab reboot tasks for Linux, and a LaunchAgent plist file for macOS.
What's more, the Trojan incorporates an optional Pastebin-based C2 host update mechanism that is controlled via the configuration. This approach allows the operator to dynamically rotate or replace the C2 infrastructure without having to rebuild and redistribute the payload.
The end goal of the QuimaRAT is to establish communication with the C2 server over TCP (or alternately via WebSocket, TLS, and HTTPS) to receive and execute commands. A watchdog component built into the malware ensures that the channel remains active and reconnects to it, if contact is lost with the C2 server.
"QuimaRAT maintains an internal shutdown state flag used to control whether the RAT should continue performing networking, reconnect, watchdog, and recovery operations," the researchers said. "This mechanism allows QuimaRAT to stop reconnecting, watchdog, and communication recovery operations after shutdown mode is activated."
The malware supports a wide range of capabilities, including remote command execution, remote payload and plugin delivery, credential theft, persistence, file transfer, clipboard manipulation, and webcam surveillance, granting the attacker comprehensive control over an infected system.
Besides these conventional features present in most RAT malware, QuimaRAT facilitates fileless shellcode execution on Windows hosts and a resilient communication framework that enables persistent access to compromised hosts.
"QuimaRAT should be viewed as a modular Java RAT platform rather than a single static implant," LevelBlue said. "ProGuard-class obfuscation indicators, Maven Shade relocation, preserved runtime symbols, and synthetic string decryptors further support the assessment that QuimaRAT is designed to rotate static fingerprints without changing its core behavior."