A newly identified Java based remote access trojan named QuimaRAT has emerged as a cross platform malware platform capable of targeting Windows, Linux, and macOS systems through a malware as a service model. According to cybersecurity researchers at LevelBlue, QuimaRAT is being marketed to cybercriminals through subscription based plans ranging from $150 for one month to $1,200 for lifetime access. Additional subscription options include three month, six month, and one year packages, making the malware accessible to a wide range of threat actors. Researchers said the malware has been designed with a modular architecture that allows operators to expand its functionality through encrypted plugins delivered directly from its command and control infrastructure. The platform also includes tools that generate payloads in several formats, including JAR, EXE, APP, SH, BAT, and VBS, allowing attackers to package malware for different operating systems and attack scenarios. The malware developer promotes the platform as a stealthy solution, claiming it operates without visible interface elements on Windows and Linux systems, while certain macOS capabilities such as screen recording and input control require administrator permissions granted by the user. Although the platform’s website presents the tools as being intended for professional security research, authorized penetration testing, and educational purposes, researchers noted that the capabilities clearly enable unauthorized access and malicious activity.
The Quima suite consists of four separate tools designed to simplify malware deployment and management. Quima Control, also referred to as QuimaRAT, serves as the primary remote administration tool with dozens of modules supporting Windows, Linux, and macOS. Quima Builder enables attackers to generate malware packages using multiple file formats, including XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM files. Another component, Quima Loader, functions as a browser cache based payload delivery mechanism. Attackers upload an executable through a management panel, select a delivery method such as HTA or LNK, and choose a deceptive landing page template that imitates software updates or CAPTCHA verification pages. When a victim visits the page, the malware payload is stored in the browser cache before a download button appears. After the user launches the downloaded loader, it retrieves the cached payload and executes it on the system while attempting to bypass Windows SmartScreen protections. Quima Dropper complements the toolkit by generating HTML and SVG payloads for additional delivery methods. Researchers noted that the malware author promotes the platform by emphasizing the use of trusted Windows processes and native execution paths that make malicious activity less noticeable to antivirus products and end users.
LevelBlue’s technical analysis shows QuimaRAT is developed as a modular Java project using Apache Maven and includes embedded Java Native Access libraries for Windows, Linux, and macOS across multiple processor architectures. Before execution, the malware validates its operating environment, installs persistence, and initializes communication with its command and control server. It also prevents multiple instances from running simultaneously by creating a lock file in the system’s temporary directory. If another instance is detected, execution is immediately terminated. Once active, the malware identifies the operating system and adjusts its behavior accordingly. It contains functionality to evade sandbox and virtualized environments while establishing long term persistence using methods specific to each platform. Windows systems are targeted through Registry Run keys, scheduled tasks, and Startup folder entries. Linux systems rely on desktop autostart entries and scheduled reboot tasks, while macOS uses LaunchAgent configuration files. QuimaRAT also supports an optional Binder feature that allows attackers to execute an embedded decoy application alongside the primary malware process, helping disguise malicious activity from victims. Researchers further identified a Pastebin based mechanism that enables operators to update command and control infrastructure without rebuilding or redistributing malware samples, allowing threat actors to rotate servers quickly if existing infrastructure is disrupted.
After establishing communication with its command and control infrastructure over TCP, WebSocket, TLS, or HTTPS, QuimaRAT provides attackers with extensive control over compromised systems. The malware supports remote command execution, encrypted plugin delivery, credential theft, file transfer, clipboard manipulation, persistence management, webcam surveillance, and additional payload deployment. Windows systems also support fileless shellcode execution, increasing the malware’s ability to evade traditional detection methods. A built in watchdog continuously monitors the connection with the command and control server and automatically restores communication if it is interrupted. Researchers also identified an internal shutdown state that controls reconnect attempts and recovery operations after the malware receives instructions to terminate activity. According to LevelBlue, QuimaRAT should be viewed as a continuously evolving malware platform rather than a single static threat because its modular architecture enables operators to add or remove capabilities without modifying the core framework. The malware also incorporates obfuscation techniques, preserved runtime symbols, and string decryption methods that help reduce static detection while maintaining consistent functionality across different operating systems, making it a flexible platform for future cyber campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.