QuimaRAT: Java-Based Cross-Platform RAT Sold as MaaS

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- LevelBlue disclosed QuimaRAT, a Java-based cross-platform RAT sold under a malware-as-a-service model with subscriptions ranging from $150 for one month to $1,200 for lifetime access, plus tiers at $300 (3 months), $500 (6 months), and $700 (12 months).
- Quima Builder, the suite's modular builder toolkit, generates client outputs in JAR, EXE, APP, SH, BAT, and VBS formats so buyers can package the RAT for different operating systems and delivery scenarios.
- Quima Loader stages payloads through the browser cache and bypasses Windows SmartScreen by serving a 'clean' loader file that reads a cached EXE, with landing page templates mimicking fake CAPTCHAs and software update alerts.
- QuimaRAT establishes persistence using OS-specific methods: Registry Run keys, Scheduled tasks, and the Startup folder on Windows; .desktop autostart entries and crontab reboot tasks on Linux; and a LaunchAgent plist file on macOS.
- QuimaRAT supports fileless shellcode execution on Windows hosts and reaches its C2 server over TCP, WebSocket, TLS, or HTTPS, with a Pastebin-based mechanism letting operators rotate C2 infrastructure without rebuilding the payload.
- Researchers Chen Aviani and Nikita Kazymirskyi of LevelBlue noted the malware is built with Apache Maven and uses embedded Java Native Access libraries, plus ProGuard-class obfuscation and Maven Shade relocation, to support broad multi-platform deployment while rotating static fingerprints.
Why it matters: At $150 a month, QuimaRAT is cheap enough for low-skill buyers, yet modular enough — 74 Windows modules and 46 macOS/Linux modules, plus encrypted C2-delivered plugins and a Pastebin-based infrastructure rotator — that a single subscription yields a cross-platform implant with credential theft, webcam surveillance, and fileless execution. The browser-cache loader specifically evades Windows SmartScreen, shrinking the detection gap defenders have leaned on.




