LevelBlue

LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

Novel Java-Based QuimaRAT Targets Windows, macOS, and Linux

Change theme to light
1 Minute Read

Remote access trojans (RATs) are legacy threats that continue to evolve alongside an expanding and ever-changing threat landscape. Following our recently published articles about novel and notable RATs, including KarstoRAT, the latest version of ClickFix, and ClickFix’s macOS variant, we analyzed QuimaRAT, a novel Java-based RAT that targets Windows, Linux, and macOS environments and is currently being sold on the dark web as a subscription-based RAT platform.

Our in-depth analysis of a QuimaRAT sample — including its architecture, configuration management, communication protocol, persistence mechanisms, plugin framework, and operator capabilities — can be found in our full report.

Here are some notable observations of this novel RAT:

  • On the dark web forum post where the threat actor advertises QuimaRAT, it’s referred to as “QuimaRAT v2.0.” It’s advertised as having “70+ modules”, “AES-256 encryption”, “FUD (Fully Undetectable)” and a “GUI panel.”

  • The QuimaRAT seller advertises it as a malware-as-a-service (MaaS), with prices ranging from $150 for one month, $300 for three months, $500 for six months, $700 for twelve months, and $1,200 for lifetime access.

  • QuimaRAT has two distinct pom.xml files, which indicates that QuimaRAT is organized as a modular Java project built using Apache Maven.

  • In the sample we analyzed, we found a JAR archive designed to run on JVM (Java SE 8). A static analysis of the sample revealed that it contains multiple embedded Java Native Access (JNA) native libraries for Windows, Linux, and macOS across various architectures.

  • QuimaRAT loads an encrypted internal config.dat file embedded within the JAR archive. This is then decrypted using a repeating-key XOR routine.

  • Before proceeding with execution in a victim’s machine, QuimaRAT performs a single-instance verification routine to ensure that only one copy of QuimaRAT is running on an infected machine at one time. This is done via a .lock file inside the operating system’s (OS) temporary directory and attempts to lock it using the Java FileLock functionality.

  • This RAT performs OS-specific virtualization and analysis environment checks prior to execution. It also installs OS-specific persistence mechanisms.

  • To keep C2 communications resilient, QuimaRAT performs the HANDSHAKE and HEARTBEAT commands.

  • Static analysis confirmed 23 implemented commands, and 212 protocol-only commands, which indicates that the actor can likely expand functionality through runtime modules, uploaded binaries, or fileless payloads.

Learn more about QuimaRAT in our full report.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/
Reports Security Research Threat Intelligence

Latest Intelligence

LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign
Operation FlutterBridge: The FlutterShell macOS Backdoor
RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026