← All articles

QuimaRAT rents out a cross-platform Java trojan for Windows, Linux, and macOS

LevelBlue detailed QuimaRAT, a new Java-based remote access trojan sold as a service that runs across Windows, Linux, and macOS from the same codebase. Subscriptions range from about $150 for a month to $1,200 for lifetime access, lowering the bar for attackers to get cross-platform reach. Built around a modular design, it expands its capabilities through encrypted plugins that operators can load, update, or remove from their command server on the fly. It also uses several obfuscation techniques to keep changing how it looks to security tools without altering its behavior, so signatures based on its appearance are likely to go stale quickly.

Check
Ensure endpoint protection covers Linux and macOS as well as Windows, watch for unexpected Java processes and outbound command-and-control traffic, and be wary of behavior-independent signatures given this malware's shifting fingerprints.
Affected
Organizations running mixed Windows, Linux, and macOS fleets; QuimaRAT's single cross-platform codebase and rented model let even low-skill attackers gain modular remote access across all three operating systems.
Fix
Deploy endpoint detection across all operating systems including macOS and Linux, prioritize behavior-based detection over static signatures, restrict unnecessary Java runtimes, and monitor for encrypted plugin traffic to unfamiliar command-and-control servers.