Security researchers at LevelBlue have identified a new Java-based remote access trojan (RAT) named QuimaRAT, designed to operate across Windows, Linux, and macOS systems. The malware is being distributed under a malware-as-a-service (MaaS) model, lowering the barrier to entry for threat actors who lack the technical skills to develop their own tooling.
Pricing and Distribution
QuimaRAT is offered at several subscription tiers. Buyers can access the malware for as little as $150 for a single month, scaling up to $1,200 for lifetime access. Additional mid-range tiers are also available, making the tool accessible to a broad range of criminal operators.
Cross-Platform Design
The decision to build QuimaRAT in Java is deliberate. Java’s write-once-run-anywhere architecture means a single malware codebase can execute on any system with a compatible runtime environment, without requiring separate builds per platform. This significantly increases the potential target surface compared to native-binary RATs that typically focus on a single operating system.
Implications for Defenders
The MaaS model commoditizes advanced capabilities and distributes operational risk across many buyers and campaigns. Security teams protecting heterogeneous environments, including those running mixed fleets of Windows workstations alongside Linux servers or macOS developer machines, should treat this as a meaningful threat.
- Endpoint detection coverage should extend to Java runtime processes and suspicious JAR file execution on all supported platforms.
- Network monitoring for unusual outbound connections initiated by Java processes can aid early detection.
- Organizations should audit which systems have a Java runtime installed and whether that runtime is operationally necessary.
As MaaS offerings continue to mature, the combination of low cost, multi-platform support, and subscription flexibility makes QuimaRAT a tool likely to appear across a wide variety of threat actor campaigns in the near term.
