New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- QuimaRAT is a new Java-based remote access trojan flagged by LevelBlue researchers Chen Aviani and Nikita Kazymirskyi, built as a modular Apache Maven project capable of running on Windows, Linux, and macOS.
- The threat actor sells QuimaRAT under a malware-as-a-service model priced at $150 for one month, $300 for three months, $500 for six months, $700 for twelve months, and $1,200 for lifetime access.
- The Quima suite bundles four tools: Quima Control (a RAT with 74 Windows and 46 macOS/Linux modules), Quima Builder (supporting XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM formats), Quima Loader (a browser-cache stager that bypasses Windows SmartScreen), and Quima Dropper (an HTML/SVG payload generator).
- QuimaRAT establishes persistence through OS-specific mechanisms — Registry Run keys, scheduled tasks, and Startup folders on Windows; .desktop autostart entries and crontab tasks on Linux; and LaunchAgent plist files on macOS.
- The malware communicates with its C2 server over TCP, WebSocket, TLS, or HTTPS, and includes an optional Pastebin-based mechanism that lets the operator rotate infrastructure without rebuilding the payload.
- QuimaRAT's capabilities include remote command execution, credential theft, file transfer, clipboard manipulation, webcam surveillance, and fileless shellcode execution on Windows hosts.
- LevelBlue assessed QuimaRAT as a modular platform rather than a static implant, citing ProGuard-class obfuscation, Maven Shade relocation, and synthetic string decryptors that allow static fingerprints to rotate without altering core behavior.
Why it matters: A single subscription of $150 buys a buyer ready-made cross-platform intrusion tooling with 74 Windows modules and 46 macOS/Linux modules, plus a browser-cache stager that specifically bypasses Windows SmartScreen — lowering the technical bar for multi-OS attacks. The MaaS pricing tiers and the Pastebin-based C2 rotation mechanism make it cheaper and more evasive than building a RAT in-house, putting defenders across all three major desktop platforms on notice.

