Novel Java-Based QuimaRAT Targets Windows, macOS, and Linux
QuimaRAT is a cross-platform, Java-based remote access trojan sold as a malware-as-a-service subscription on the dark web. It targets Windows, macOS, and Linux systems by embedding JNA native libraries for multiple architectures within a JAR archive built for Java SE 8. The RAT decrypts an internal configuration file using repeating-key XOR, performs anti-analysis and virtualization checks, establishes persistence via OS-specific mechanisms, and maintains resilient C2 communication through HANDSHAKE and HEARTBEAT protocols. With 23 implemented commands and 212 protocol-only commands, the platform is highly extensible through runtime modules and fileless payloads.
Detection / Hunteropenrouter
What Happened
A new type of malicious software called QuimaRAT has been discovered. It is designed to remotely control computers running Windows, macOS, or Linux, and is being sold on the dark web as a subscription service. The software is built using Java, which allows it to work across different operating systems. Before running, it checks whether it is in a virtual or analysis environment to avoid detection by security researchers. It also ensures only one copy runs at a time and installs itself so it survives reboots. Anyone responsible for systems with Java installed should be aware of this threat, review endpoint protections, and consider monitoring for unusual Java processes or unexpected JAR file execution. The full technical report from LevelBlue SpiderLabs contains additional details for security teams.
Key Takeaways
- QuimaRAT is a novel Java-based RAT sold as malware-as-a-service on the dark web, targeting Windows, macOS, and Linux via embedded JNA native libraries for multiple architectures.
- The RAT uses a repeating-key XOR to decrypt an internal config.dat file embedded within the JAR archive, and performs single-instance verification via a .lock file in the OS temporary directory.
- QuimaRAT implements OS-specific virtualization and analysis environment checks before execution, and installs OS-specific persistence mechanisms.
- C2 communications use HANDSHAKE and HEARTBEAT commands for resilient connectivity; 23 implemented commands and 212 protocol-only commands suggest significant extensibility via runtime modules.
- Pricing ranges from $150/month to $1,200 for lifetime access, indicating broad accessibility to threat actors of varying sophistication.
Affected Systems
- Windows (multiple architectures)
- macOS (multiple architectures)
- Linux (multiple architectures)
- Systems with Java SE 8 (JVM) installed
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: JAR archive delivered to victim (delivery vector not specified in this summary article)
- Execution: JAR runs on JVM (Java SE 8), loads embedded JNA native libraries appropriate for the target OS and architecture
- Defense Evasion: Performs OS-specific virtualization and analysis environment checks before proceeding with execution
- Configuration: Decrypts embedded config.dat using repeating-key XOR; creates .lock file in OS temp directory for single-instance enforcement
- Persistence: Installs OS-specific persistence mechanism to survive reboots
- C2 Communication: Establishes resilient C2 channel using HANDSHAKE and HEARTBEAT commands; 23 implemented commands and 212 protocol-only commands available for operator actions
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
This article is a summary blog post; no detection rules or queries are included. The full report linked in the article may contain additional detection content.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | Java-based execution may be visible via process telemetry (java.exe spawning unexpected child processes), but fileless payloads and runtime module loading could limit visibility. JNA native library loading from within a JAR may not be captured by all EDR solutions. |
| Network Visibility | Medium | C2 communications use AES-256 encryption and custom HANDSHAKE/HEARTBEAT protocol commands, making traffic difficult to distinguish from legitimate encrypted traffic without payload inspection or behavioral analysis. |
| Detection Difficulty | Hard | Cross-platform Java-based malware with encrypted C2, anti-analysis checks, and fileless payload capability presents significant detection challenges. The use of legitimate Java runtime processes and encrypted communications reduces the effectiveness of signature-based and some behavioral detections. |
Required Log Sources
- Process creation events (e.g., Sysmon Event ID 1, EDR process telemetry)
- File creation events in temporary directories
- Network connection events with TLS metadata
- Java process execution logs
- File lock creation events in OS temp directories
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for Java processes (java.exe or equivalent) that create lock files in the OS temporary directory, as QuimaRAT uses Java FileLock for single-instance verification (T1059, T1497). | Process creation and file creation events in temp directories; EDR file operation telemetry | Execution | Medium — legitimate Java applications may also use lock files in temp directories for single-instance checks. |
| Consider hunting for Java processes that load JNA native libraries from within embedded JAR archives, as QuimaRAT bundles platform-specific JNA libraries for cross-platform execution (T1129). | EDR module/library load events, Sysmon Event ID 7 (image loaded) | Execution | Medium — legitimate cross-platform Java applications may also use JNA libraries. |
| Consider hunting for Java processes establishing outbound network connections shortly after performing virtualization or sandbox checks, as QuimaRAT performs anti-analysis before initiating C2 (T1497, T1071). | Process creation, network connection events, and any available API call telemetry for virtualization detection APIs | C2 Communication | Low to Medium — the combination of anti-analysis checks followed by outbound connections is suspicious but not conclusive. |
| Consider hunting for JAR files that contain an embedded config.dat file, as QuimaRAT stores its encrypted configuration in this file within the JAR archive (T1027.009). | File scanning or EDR file inspection capabilities that can enumerate JAR/archive contents | Defense Evasion | Low — config.dat embedded in a JAR is an unusual pattern for legitimate Java applications. |
| Consider hunting for Java processes that modify OS-specific persistence locations (e.g., registry run keys on Windows, launch agents on macOS, cron or systemd on Linux), as QuimaRAT installs OS-specific persistence (T1543). | Registry modification events, launch agent/plist creation, cron or systemd unit file creation, EDR persistence telemetry | Persistence | Medium — legitimate Java applications may also install persistence mechanisms. |
Control Gaps
- Signature-based antivirus may miss this RAT due to its FUD (Fully Undetectable) claims and encrypted/fileless payload capabilities.
- Network-based detection may struggle with AES-256 encrypted C2 traffic using custom protocol commands.
- Cross-platform coverage gaps may exist if EDR or monitoring is only deployed on a subset of OS platforms (Windows-only deployments would miss macOS/Linux activity).
Key Behavioral Indicators
- Java process (java.exe or equivalent) creating a .lock file in the OS temporary directory
- Java process loading JNA native libraries from within an embedded JAR archive
- JAR file containing an embedded config.dat file
- Java process performing virtualization/sandbox detection API calls before establishing network connections
- Java process modifying OS-specific persistence locations (registry run keys, launch agents, cron jobs, systemd units)
- Encrypted outbound network traffic from Java processes using custom HANDSHAKE/HEARTBEAT protocol patterns
False Positive Assessment
Medium — Java-based applications legitimately use JNA libraries, lock files, and encrypted network communications. The combination of these behaviors is more indicative of compromise than any single indicator alone, but defenders should expect some noise from legitimate cross-platform Java applications.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider searching endpoint telemetry for Java processes creating .lock files in temporary directories or loading JNA libraries from embedded JAR archives.
- If your EDR supports it, consider hunting for JAR files containing an embedded config.dat file across endpoints, as this is an unusual indicator specific to QuimaRAT.
- Consider reviewing network logs for outbound encrypted connections from Java processes, particularly those established shortly after process launch, and correlate with endpoint telemetry where possible.
Infrastructure Hardening
- Evaluate whether Java SE 8 runtime environments can be upgraded to newer versions, as QuimaRAT targets Java SE 8 specifically.
- Consider implementing application allowlisting for Java processes where feasible, particularly on servers and endpoints where Java is not required for business operations.
- If your network security tooling supports TLS inspection, consider evaluating whether custom protocol patterns (HANDSHAKE/HEARTBEAT) can be detected within encrypted Java process traffic.
User Protection
- Ensure endpoint protection solutions are deployed across all platforms (Windows, macOS, and Linux), as QuimaRAT is cross-platform.
- Consider enabling enhanced logging on endpoints with Java installed, particularly process creation, file creation in temp directories, and network connection events.
- If applicable, evaluate whether Java runtime installations on user endpoints can be restricted or removed if not required for business applications.
Security Awareness
- Consider incorporating awareness of dark web MaaS threats into existing security training programs, noting that subscription-based RATs lower the barrier to entry for threat actors.
- If your organization has a phishing reporting program, consider reminding users that RAT delivery often begins with social engineering, and encourage prompt reporting of suspicious emails or downloads.
MITRE ATT&CK Mapping
Execution
Persistence
Command and Control
Additional IOCs
- File Paths:
config.dat- Encrypted internal configuration file embedded within the QuimaRAT JAR archive, decrypted at runtime using a repeating-key XOR routine.
- Other:
.lock- Lock file created in the OS temporary directory by QuimaRAT for single-instance verification using Java FileLock functionality.