Skip to content
feed: live about
>_ 0dayNews
vendor advisory

QuimaRAT: a Java RAT MaaS that covers Windows, Linux, and macOS for $150

LevelBlue profiled a new cross-platform Java RAT sold as MaaS. No confirmed campaigns yet — but the price is low, the payload runs everywhere, and the loader is built to walk past SmartScreen. Assume it lands somewhere soon.

QuimaRAT: a Java RAT MaaS that covers Windows, Linux, and macOS for $150
Image: 0dayNews / 0dayNews Editorial · All rights reserved
Marisol "Fuse" Delgado · Published · 3 min read

LevelBlue’s SpiderLabs team profiled a new Java-based RAT called QuimaRAT on 2026-06-25 — cross-platform, MaaS, priced starting at $150 for a month and $1,200 for lifetime. The Hacker News picked it up on 2026-07-06. Researchers Chen Aviani and Nikita Kazymirskyi analyzed the sample; there are no confirmed in-the-wild campaigns in the writeup yet. That’s the honest state of it.

Here’s why you should still care: cross-platform Java payloads that price-in at less than a couple of Steam games, delivered through a loader engineered to bypass Windows SmartScreen, do not stay theoretical for long. The floor for who can buy this is very low.

What changed

QuimaRAT is a Java project — modular, Maven-built, ProGuard-obfuscated, with JNA-embedded native libraries for every relevant Windows, Linux, and macOS architecture. LevelBlue counted roughly 74 modules on Windows and 46 on the Unix side. Capabilities are the usual RAT set: remote command execution, credential theft, file transfer, clipboard grab, webcam, plus fileless shellcode execution on Windows and pluggable payload delivery.

The “suite” being sold is four pieces:

  • Quima Control — the operator’s console.
  • Quima Builder — builds initial-access artifacts as XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, or CHM.
  • Quima Loader — a browser-cache trick where the landing page pre-caches the payload, then a “clean” loader downloads and reads it locally. Marketed as a SmartScreen walk-past.
  • Quima Dropper — HTML/SVG payload generator.

C2 runs over TCP, WebSocket, TLS, or HTTPS, with an optional Pastebin channel that rotates the C2 host on the fly. A watchdog keeps the connection alive.

Persistence is boring in the good way — meaning it uses the same slots everything else uses, so you already know where to look:

  • Windows: Run keys, Scheduled Tasks, Startup folder.
  • Linux: .desktop autostart entries, crontab @reboot.
  • macOS: a LaunchAgent plist under the user’s Library.

Pricing tiers, from LevelBlue: $150/1mo, $300/3mo, $500/6mo, $700/12mo, $1,200 lifetime. That’s not “sophisticated APT tooling” money. That’s “kid with a credit card” money.

What to actually do

If you defend Windows endpoints: don’t put weight on SmartScreen alone for this class of loader. The whole point of the browser-cache dance is that the file the user clicks is small, clean, and trusted — the interesting payload arrives via a cache hit that never trips a mark-of-the-web check. That’s not a SmartScreen bug. It’s a design assumption you can’t lean on. Behavioral detection on Java processes spawning shells, doing native library loads, or writing to Startup folder / registry Run keys carries more weight here than reputation-based file scanning.

If you defend Mac fleets: LaunchAgent plists under ~/Library/LaunchAgents/ are your monitoring surface. The sample requires the user to grant admin permissions for the fancier features, which is the one honest weak point of the tooling — mature MDM policies that block user-granted admin except through a workflow will bite this. If you already restrict that, you’re in reasonable shape; if you don’t, that’s the higher-priority backlog item.

If you defend Linux fleets (servers, workstations, or containers): watch .desktop files in autostart directories and @reboot crontab lines for anything Java-adjacent. Neither is exotic detection engineering — both should already be in your baseline. If they aren’t, add them now, not because of this specific family but because every RAT built for Linux ends up in one of those two slots.

Everyone: the payload arrives in the same delivery formats initial-access has used for years — XLL, LNK, DOCM, XLSM, CHM. If you already block or sandbox those at the mail gateway and browser download layer, this is not a new problem shape. If you don’t, this is a reminder to close it. Java runtime on user workstations is the other lever — most desks don’t need one installed at all.

No IOCs published in the public writeup yet. LevelBlue references a “full report” for the technical detail; VirusTotal has a sample hash from The Hacker News’ writeup (bb0fbcb1e47ec04aa55555f3769fbc6f09694de1e9baae59260356b26b5af6a7) if you want a starting point for retro-hunts.

The priority call

Patch what’s on your KEV list first — that’s still the higher-signal risk today, and the ChocoPoC campaign targeting researcher workstations is a fresher, confirmed threat if you clone PoCs as part of the job. Read this one and move — QuimaRAT is a capability profile of a MaaS product, not evidence of active exploitation. But if your fleet includes Macs and Linux desktops that your EDR treats as second-class citizens, the honest timeline is that a $150/mo Java RAT with a SmartScreen-bypass loader will find someone to buy it. Get the LaunchAgent, .desktop, and crontab monitoring in place now, before the confirmed-campaign article shows up on this site.

Found this useful? Share it.