"The platform provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments," reads a pop-up on the seller's website — a disclaimer that accompanies a commercialized, Java-based remote access trojan package called QuimaRAT, researchers say.
What QuimaRAT is and how it is sold
Security firm LevelBlue flagged QuimaRAT as a cross-platform remote access trojan (RAT) offered under a malware-as-a-service (MaaS) model. The seller advertises subscription tiers ranging from $150 for one month to $1,200 for lifetime access, with intermediate pricing at $300 (three months), $500 (six months), and $700 (twelve months).
The operator markets four distinct tools in the suite: Quima Control (aka QuimaRAT), a remote administration tool; Quima Builder, a modular builder and launcher toolkit; Quima Loader, a browser-cache payload delivery service; and Quima Dropper, an HTML/SVG payload generator. The Quima Control component is described as including 74 Windows modules and 46 macOS and Linux modules.
Modular architecture, Java core, and native libraries
LevelBlue's analysis describes QuimaRAT as a modular Java project built with Apache Maven that embeds Java Native Access (JNA) native libraries for Windows, Linux, and macOS across multiple architectures. Researchers Chen Aviani and Nikita Kazymirskyi noted the native components allow the RAT to interact with low-level operating system APIs via C/C++ code, supporting "broad multi-platform deployment."
The malware decodes and parses an internal configuration file used for environment validation, persistence installation, and command-and-control (C2) initialization. LevelBlue characterizes QuimaRAT as "a modular Java RAT platform rather than a single static implant," pointing to ProGuard-class obfuscation indicators, Maven Shade relocation, preserved runtime symbols, and synthetic string decryptors that support rotating static fingerprints without changing core behavior.
Delivery and staging: Quima Builder and Quima Loader
The seller offers a builder that can output multiple formats — JAR, EXE, APP, SH, BAT, and VBS — and a builder toolkit that supports additional file types including XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM. The goal, per the product materials, is to help operators package clients tailored to different environments and delivery scenarios.
Quima Loader is notable for its browser-cache staging workflow. According to the developer's description captured by LevelBlue, an operator uploads an EXE and selects a delivery format and landing page template (for example, a fake CAPTCHA or software update alert). The generated stager link triggers a sequence: the landing page loads and fetches the payload into the browser cache, a Download button appears, the victim saves a "small, clean loader file" trusted by the browser, runs it, and the loader reads the cached payload to execute the main payload. The seller claims this process bypasses SmartScreen protections on Windows.
Persistence, execution controls, and evasion
QuimaRAT enforces a single-instance design by creating a lock file in the operating system's temporary directory; if another instance holds the lock the new process terminates. The RAT determines the host operating system name to decide actions such as sandbox and virtual environment evasion, persistence installation, and serving the main payload. An optional Binder feature can execute an embedded payload or decoy alongside the RAT when enabled in configuration.
Persistence mechanisms vary by OS: Registry Run keys, Scheduled Tasks, and the Startup folder on Windows; .desktop autostart entries and crontab reboot tasks on Linux; and a LaunchAgent plist on macOS. The seller promises "complete stealth" on Windows and Linux, while warning that some macOS features — notably screen capture and input control — require "user-granted admin permissions."
Command-and-control, capabilities, and resilience
QuimaRAT is designed to communicate with C2 infrastructure over TCP, with optional modes using WebSocket, TLS, or HTTPS. A built-in watchdog maintains the connection and reconnects if contact is lost; researchers also noted an internal shutdown state flag that can stop networking, reconnect, watchdog, and recovery operations once shutdown mode is activated. The malware supports an optional Pastebin-based C2 host update mechanism controlled via configuration, allowing operators to rotate or replace C2 infrastructure without rebuilding or redistributing payloads.
Capabilities documented by LevelBlue include remote command execution; remote payload and plugin delivery; credential theft; file transfer; clipboard manipulation; webcam surveillance; persistence management; and fileless shellcode execution on Windows. LevelBlue also described a "resilient communication framework" intended to enable persistent access to compromised hosts.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: QuimaRAT's modular design, native JNA libraries, and multiple delivery options mean detection and response must account for Java toolchains, embedded native code, and staged browser-cache delivery techniques when hunting for suspicious behavior.
- Procurement and defenders evaluating tooling claims: The seller's site includes an explicit disclaimer about authorized use, yet the product's low-cost MaaS tiers and built-in evasion mechanisms show how capability can be packaged and sold; buyers and defenders should scrutinize how such toolkits can be repurposed outside claimed legal uses.
- End users: Features on macOS such as screen capture and input control still require explicit admin permissions, underscoring a concrete point of control that can block some functionality if users and administrators do not grant elevated rights.
LevelBlue's reporting paints QuimaRAT as a commercially packaged, multi-platform RAT that combines Java portability with native hooks, staged browser delivery, and modular plugins to broaden its operational reach. The package's costed tiers, claimed stealth features, and a Pastebin-driven C2 update option highlight a design aiming for flexibility and longevity. Whether defenders will find reliable indicators that survive the platform's obfuscation and fingerprint-rotation strategies remains the immediate technical question the analysis leaves on the table.




