Published on July 6, 2026
New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS
Severity
Medium
Detail
Researchers have identified QuimaRAT, a new cross-platform Java-based remote access trojan (RAT) offered through a Malware-as-a-Service (MaaS) model. The malware targets Windows, Linux, and macOS systems and provides attackers with a modular framework for remote access, credential theft, persistence, and plugin-based capability expansion.
Its multi-platform design, flexible deployment options, and support for encrypted plugins make QuimaRAT a versatile threat for both individual and enterprise environments.
How?
QuimaRAT is distributed as part of a complete malware toolkit that includes a builder, loader, and dropper, enabling attackers to generate payloads in multiple formats and deliver them through phishing lures such as fake CAPTCHA pages and software update prompts. Victims are tricked into executing a small loader that retrieves the main payload from the browser cache, helping bypass security mechanisms such as Windows SmartScreen.
Once executed, the malware verifies the operating system, performs environment checks to detect virtualized or sandboxed systems, and ensures only one instance of the RAT is active. It then establishes persistence using platform-specific techniques, including Registry Run keys and scheduled tasks on Windows, autostart entries and cron jobs on Linux, and LaunchAgent plist files on macOS.
QuimaRAT initializes communication with its command-and-control (C2) server over TCP, HTTPS, TLS, or WebSocket connections. A built-in watchdog continuously monitors the connection and automatically reconnects if communication is interrupted. The malware also supports a Pastebin-based C2 update mechanism, allowing operators to change C2 infrastructure without redistributing the malware.
After establishing a foothold, QuimaRAT can execute remote commands, deploy additional payloads and encrypted plugins, steal credentials, transfer files, manipulate the clipboard, monitor webcams, and perform fileless shellcode execution on Windows systems, providing attackers with persistent and comprehensive control over compromised hosts.
Conclusion
QuimaRAT represents an advanced evolution of cross-platform remote access malware by combining modular architecture, flexible delivery methods, resilient command-and-control mechanisms, and extensive post-compromise capabilities into a single MaaS platform. Its ability to dynamically load plugins and update infrastructure significantly complicates detection and long-term remediation.
Organizations should monitor for unusual Java application activity, unexpected persistence mechanisms, suspicious outbound communications over multiple protocols, and unauthorized execution of loaders or browser-delivered payloads. Implementing application control, restricting execution of untrusted scripts, and strengthening endpoint detection capabilities across Windows, Linux, and macOS systems are essential to mitigating threats posed by QuimaRAT.
Source
https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html
