Hoplon InfoSec Logo

QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac

QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac

Hoplon InfoSec

06 Jul, 2026

QuimaRAT Malware Explained: Inside the Java RAT Now Hunting Windows, Linux, and macOS Users

A friend in IT called me last week asking a simple question. Why does a piece of malware written in Java, a language most of us associate with old enterprise software, suddenly matter again in 2026. The answer is QuimaRAT, and once I explain what it does, you will understand why researchers are paying close attention to it.

QuimaRAT malware is a newly documented remote access trojan built entirely in Java, and it is one of the few threats capable of running natively on Windows, Linux, and macOS from a single codebase. It is not being passed around quietly on hacker forums either. It is sold openly as a subscription product, complete with pricing tiers, a builder panel, and a polished sales pitch about "authorized security research."

Underneath that pitch sits a genuinely dangerous piece of tradecraft, and this guide breaks down exactly how it works, who built the pieces around it, and what your team needs to watch for.

CONTENT SUMMARY

DetailInformation
Malware nameQuimaRAT (core module called Quima Control)
Malware typeJava based remote access trojan
Platforms targetedWindows, Linux, macOS
Distribution modelMalware as a service (MaaS), sold via subscription
Pricing observed150 dollars for one month up to 1200 dollars for lifetime access
Analyzed byLevelBlue researchers Chen Aviani and Nikita Kazymirskyi
Built withApache Maven, Java Native Access (JNA) libraries
Core techniquesEncrypted plugin loading, browser cache payload staging, SmartScreen evasion, fileless shellcode execution
Companion toolsQuima Builder, Quima Loader, Quima Dropper

What is QuimaRAT Malware and Why It is Different From the Usual RAT

Most remote access trojans you read about are written for one operating system and ported, sometimes badly, to others. QuimaRAT malware skips that problem entirely by building on Java from day one. Java code runs on a virtual machine, so as long as the target has a Java runtime, the same core program can execute on a Windows laptop, a Linux server, or a Mac.

LevelBlue's researchers Chen Aviani and Nikita Kazymirskyi documented this in detail, noting that the RAT ships with embedded Java Native Access libraries compiled for multiple operating systems and processor architectures, which lets it reach directly into low level operating system functions through C and C++ code rather than staying boxed inside the Java sandbox. That single design decision is what makes this threat worth learning properly instead of skimming. A defender who only hardens Windows endpoints against this kind of attack is leaving two other operating systems wide open.

Cross-platform malware overview


QuimaRAT Pricing and the Malware as a Service Business Model

Here is something that still catches people off guard the first time they hear it. QuimaRAT malware is not hidden in some invite only forum. It is marketed with a subscription pricing page, the same way you would buy antivirus software or a VPN.

Subscription planPrice
One month150 dollars
Three months300 dollars
Six months500 dollars
Twelve months700 dollars
Lifetime access1200 dollars

This is a textbook example of malware as a service, a model where the developer handles the coding and infrastructure while paying customers, often with no coding skill at all, rent the finished weapon. It is the same commercial logic behind other 2026 era kits, and it lowers the barrier to entry so far that a motivated amateur can run a serious cross platform intrusion with almost no technical background.

The seller's own website adds a strange twist. Visitors are greeted with a pop up describing the platform as offensive security tooling meant strictly for authorized penetration testing and educational use, along with a warning against illegal use. It is the same legitimacy costume worn by other commercial RAT operations, and it fools almost nobody in the security community, but it does complicate takedown efforts and gives affiliates a talking point if questioned.

The Four Tools Inside the QuimaRAT Toolkit

QuimaRAT is not one file. It is a small product suite, and understanding each piece matters if you want to catch it early.

Quima Control, which most people just call QuimaRAT, is the actual remote administration engine. LevelBlue counted 74 separate modules for Windows and 46 shared modules covering macOS and Linux, giving an attacker a genuinely deep menu of remote actions once a machine is compromised.

Quima Builder is the packaging tool. It can wrap the payload into a wide range of file formats including XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM files, which gives an attacker flexibility to match whatever delivery method fits a specific phishing scenario or target environment.

Quima Loader is arguably the cleverest piece of the whole kit, and it deserves its own section below because of how it defeats browser and OS level protections.

Quima Dropper rounds things out as an HTML and SVG based payload generator, useful for attackers who want to hide a stager inside what looks like an ordinary web page or image file.

How QuimaRAT Actually Works Under the Hood

If you strip away the marketing language, QuimaRAT is a modular Java project built with Apache Maven, and its architecture explains a lot about why it has stayed under the radar until recently.

The RAT supports encrypted plugins that get delivered, loaded, unloaded, and updated on the fly straight from the command and control server. That means the operator does not need to rebuild and redistribute the whole malware every time they want new functionality. They just push a new encrypted module.

Before doing anything else, the malware checks for a lock file in the operating system's temporary directory to make sure only one instance is running on a given machine at a time. If a second copy launches and finds the lock already held, it simply shuts itself down. This is a small detail, but it tells you the developer built this with production reliability in mind, not as a quick proof of concept.

Once running, QuimaRAT identifies the host operating system and uses that information to decide its next moves, including whether to attempt sandbox evasion, which persistence method to install, and how to serve the main payload. There is also an optional feature called Binder that lets the operator bundle a decoy application alongside the real payload, so a victim who double clicks a file might see something that looks legitimate while the RAT installs quietly in the background.

How QuimaRAT operates and deceives


Inside the Quima Loader Infection Chain

This is the part of the QuimaRAT malware story that most write ups gloss over, and it is the most important piece from a defensive standpoint. Quima Loader is a browser cache payload delivery service, and here is the sequence the developer themselves describes.

  1. The operator uploads a compiled executable through the Quima panel and chooses a delivery format such as HTA or LNK, along with a landing page template, commonly a fake CAPTCHA check or a fake software update prompt.
  2. A generated stager link goes out to the target, usually through phishing or a compromised web page.
  3. When the victim opens the link in a browser, the real payload gets fetched and quietly held in the browser's own cache rather than written to disk immediately.
  4. A Download button then appears on the page.
  5. Clicking it saves what looks like a small, clean loader file, one that the browser and operating system both trust because it does not resemble a typical malicious binary.
  6. Running that loader causes it to read the payload that is already sitting in the browser cache.
  7. The full RAT executes on the system, and because the file leveraged the browser's own trusted cache and a native execution path, it slips past Windows SmartScreen.

The seller's own pitch line sums up the philosophy nicely, describing the whole suite as tools built around what Windows already trusts, with native execution paths and clean outputs designed so that antivirus and the user both see nothing unusual. That is social engineering and technical evasion working together, and it is why training people to recognize fake update prompts matters just as much as any technical control.

Persistence Mechanisms by Operating System

Once QuimaRAT malware is on a system, it wants to survive a reboot, and it uses different tricks depending on the platform.

Operating systemPersistence method
WindowsRegistry Run keys, scheduled tasks, and the Startup folder
Linux.desktop autostart entries and crontab reboot tasks
macOSA LaunchAgent plist file

Anyone doing threat hunting should treat unexplained entries in any of these locations as a reason to look closer, especially on machines that also show unusual outbound network activity.

Command and Control Infrastructure and the Pastebin Trick

QuimaRAT malware talks back to its operators over TCP, or alternately over WebSocket, TLS, or HTTPS, giving the attacker flexibility depending on what network filtering the target environment has in place. A built in watchdog component keeps that channel alive, automatically reconnecting if contact with the server drops.

One detail worth remembering is the optional Pastebin based command and control update mechanism. It lets an operator rotate or replace the entire command and control infrastructure just by editing a Pastebin post, without ever needing to rebuild or redistribute the malware to already infected machines. This is a low cost, high resilience trick that a lot of smaller malware operations have started borrowing, and it means blocking a single known bad IP address or domain will not necessarily stop an active infection.

The malware also tracks an internal shutdown state flag that governs whether it keeps trying to reconnect, run its watchdog, and attempt recovery after contact is lost. Once that flag flips, the RAT stops all of that background activity, which suggests the developer built in a clean way to retire infected endpoints from the botnet without leaving noisy, easily detected reconnection attempts running forever.

Full Capability List

QuimaRAT malware gives an operator a wide menu of post compromise actions, and the list below reflects what LevelBlue documented.

Remote command execution across all three supported platforms Remote delivery and management of additional payloads and plugins Credential theft from the infected system File transfer in both directions between victim and operator Clipboard manipulation and monitoring Webcam surveillance Fileless shellcode execution specifically on Windows hosts A resilient, self healing communication channel back to command and control

Obfuscation and Why Signature Based Detection Struggles Here

LevelBlue's analysis found ProGuard class obfuscation, Maven Shade package relocation, preserved runtime symbols mixed in oddly with obfuscated code, and synthetic string decryptors scattered throughout the codebase. The practical effect is that QuimaRAT malware can rotate its static fingerprint, meaning the file hash and some surface level characteristics change from build to build, without altering how the malware actually behaves once it runs.

This mirrors a pattern showing up across several 2026 RAT families, where operators lean on anti analysis tricks like sandbox timing checks and virtual machine artifact detection to slip past automated scanning. It is a strong argument for behavior based detection tools over anything that relies purely on matching known bad file signatures, since a modular, actively updated Java RAT like this one is built specifically to defeat that kind of static matching.

How QuimaRAT Compares to Other Cross Platform RATs

Seeing QuimaRAT malware next to other recent cross platform threats helps put its risk into perspective.

MalwareLanguagePlatformsDistributionNotable trait
QuimaRATJavaWindows, Linux, macOSSubscription based MaaSEncrypted plugin architecture with browser cache staging
CrossRATJavaWindows, Linux, macOSTargeted campaignsHistorically low antivirus detection rate
Axios supply chain RATNative code delivered through npmWindows, Linux, macOSCompromised npm packageReached tens of millions of weekly package downloads before discovery
Millenium RAT 4.xC++WindowsSubscription based MaaS with Telegram bot C2Tens of thousands of confirmed infected devices tracked in early 2026

QuimaRAT stands out because its cross platform reach comes from the language choice itself rather than from maintaining three separate codebases, which likely makes it easier for the developer to keep all three platform variants updated in lockstep.

How to Detect a QuimaRAT Infection

Detection here needs to combine a few different signals rather than relying on one indicator alone.

Look for an unexpected lock file sitting in the system temporary directory that persists across sessions. Audit LaunchAgent plist files on Mac endpoints, crontab entries and .desktop autostart files on Linux systems, and new Registry Run keys or scheduled tasks on Windows, especially anything created around the time a suspicious download occurred.

Flag outbound connections to Pastebin coming from processes that have no legitimate reason to reach that service, since that is the malware's command and control rotation channel. Watch for a small, seemingly harmless loader file being executed shortly after a user visits a fake CAPTCHA or fake update page, then followed by a larger payload appearing from nowhere on disk. Prioritize behavioral detection and endpoint telemetry over static antivirus signatures, since the obfuscation techniques here are specifically designed to defeat hash based matching.

A properly tuned extended detection and response platform, paired with ongoing threat hunting through a dedicated cyber threat intelligence program, catches this kind of layered evasion far more reliably than antivirus alone.

How to detect a QuimaRAT infection
How to detect a QuimaRAT infection

How to Protect Your Organization From QuimaRAT and Similar RATs

Restrict execution of JAR, HTA, LNK, and VBS files that arrive through browser downloads, and block them at the email gateway as well. Enable application allow listing so unknown executables cannot silently run even if a user is tricked into downloading one. Monitor the OS specific persistence locations covered earlier as a standing detection rule, not a one time check.

Deploy endpoint protection with genuine behavioral detection rather than signature only scanning, since this malware is built to rotate its fingerprint. Train staff to recognize fake CAPTCHA checks and fake software update prompts, since that is the exact social engineering hook Quima Loader depends on. Keep Java runtime environments patched and remove them entirely from machines that do not actually need Java to function. Run a periodic gap assessment against your current endpoint and email controls to confirm nothing here is falling through the cracks.

Organizations that want a full outside in view of their exposure often start with an attack surface management engagement to map every internet facing asset an attacker like this could target, paired with endpoint security protection to stop the payload once it lands. If a QuimaRAT style infection is already suspected, moving quickly into incident response and recovery limits the blast radius far more than waiting for symptoms to escalate.

Frequently Asked Questions

What is QuimaRAT malware: QuimaRAT is a Java based remote access trojan sold as a subscription service that can infect Windows, Linux, and macOS systems from a single codebase, giving attackers remote command execution, credential theft, file access, and surveillance capabilities.

Is QuimaRAT a virus or a RAT: It is a remote access trojan, not a virus. A virus typically self replicates by attaching to other files, while a RAT like QuimaRAT is designed to give a remote operator ongoing, hands on control of an infected machine.

How does QuimaRAT bypass antivirus software: It combines ProGuard obfuscation, Maven Shade code relocation, and synthetic string decryption to constantly change its static fingerprint, while its Quima Loader delivery method uses browser caching and trusted native execution paths to avoid triggering Windows SmartScreen or typical antivirus heuristics.

Can QuimaRAT infect Mac computers: Yes. QuimaRAT includes dedicated macOS modules and installs persistence through a LaunchAgent plist file, although the seller notes that certain features like screen capture and input control require the user to grant admin level permissions on Mac systems.

Who discovered QuimaRAT: Researchers Chen Aviani and Nikita Kazymirskyi at LevelBlue published the original technical analysis documenting QuimaRAT's architecture, modules, and delivery mechanisms.

How is QuimaRAT sold: It is sold directly through a dedicated website using a malware as a service subscription model, with pricing ranging from 150 dollars for one month of access up to 1200 dollars for lifetime access, alongside a public disclaimer claiming the tooling is meant only for authorized security research.

Related Reading on Hoplon InfoSec

If this kind of Java based remote access trojan interests you, it is worth reading how SambaSpy weaponized PDF attacks spread another Java delivered RAT through email attachments, and how the LinkedIn RAT malware attack used a completely different social platform to achieve a similar outcome. Both cases reinforce the same lesson found throughout this QuimaRAT breakdown, that a modern RAT succeeds through a mix of clever delivery and quiet persistence rather than raw technical complexity alone.

Author:  Radia
Published: July 06, 2026
Last Updated: July 06, 2026

Was this article helpful?

React to this post and see the live totals.

Share this :

Latest News