Back to Intelligence

QuimaRAT and BusySnake: Detection and Hardening for Cross-Platform RATs and Stealers

SA
Security Arsenal Team
July 12, 2026
6 min read

Introduction

The latest Security Affairs Malicious Software Newsletter (Round 105) highlights a disturbing evolution in threat actor capabilities, specifically the emergence of QuimaRAT, a novel Java-based Remote Access Trojan (RAT), and the BusySnake stealer campaign linked to the "Armored Likho" operation.

For defenders, the QuimaRAT development is particularly alarming. By leveraging the Java Runtime Environment (JRE), threat actors have achieved true "write-once, run-anywhere" malware that targets Windows, macOS, and Linux simultaneously. This effectively bypasses many OS-specific security controls that rely on binary signatures or API hooking. Concurrently, the Avalon group's pivot toward "Vibe Coded Extortion" using CrownX ransomware capabilities and the BusySnake stealer indicates a aggressive shift toward credential harvesting and double-extortion tactics.

This post provides actionable intelligence to detect these cross-platform threats and harden your environment against Java-based payloads and modern stealers.

Technical Analysis

QuimaRAT: The Cross-Platform Threat

QuimaRAT represents a significant shift in malware development. Unlike traditional RATs compiled for specific operating systems, QuimaRAT is written in Java.

  • Affected Platforms: Windows, macOS, Linux.
  • Vector: Typically delivered via phishing emails or malicious downloads (JAR files).
  • Mechanism: The malware executes within the JRE. It establishes a Command & Control (C2) channel and can execute shell commands, upload/download files, and perform system reconnaissance regardless of the underlying OS.
  • Evasion: Java binaries often appear as legitimate development tools or utilities, allowing them to bypass basic application whitelisting that focuses on .exe or .dll files. Furthermore, the JRE process (java.exe or javaw.exe) spawning child shells is a key TTP to monitor.

BusySnake & Avalon: Credential Theft and Ransomware

The BusySnake campaign, associated with the "Armored Likho" threat actor, focuses on information stealing. The newsletter notes its connection to Avalon's evolution into CrownX ransomware capabilities.

  • Functionality: BusySnake acts as a stealer, targeting browser credentials, cryptocurrency wallets, and session tokens.
  • Execution: These campaigns often utilize "legal lures"—malicious documents posing as legal notices or invoices—to trick users into enabling macros or executing scripts.
  • Impact: Successful deployment leads to immediate credential compromise (facilitating lateral movement) and potential ransomware deployment via CrownX.

Detection & Response

Given the cross-platform nature of QuimaRAT and the stealthy behavior of BusySnake, detection requires a focus on process lineage and file anomalies rather than static signatures alone.

SIGMA Rules

YAML
---
title: QuimaRAT Java Spawning Shell
id: 8a2f3c11-9b4d-4e5f-a1b2-3c4d5e6f7a8b
status: experimental
description: Detects Java Runtime (java.exe, javaw.exe) spawning cmd.exe, powershell.exe, or bash. This is a high-fidelity indicator of Java-based malware like QuimaRAT attempting to execute system commands.
references:
  - https://securityaffairs.com/195187/breaking-news/security-affairs-malware-newsletter-round-105.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.004
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\java.exe'
      - '\javaw.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate Java developers running build scripts or IDE tools
level: high
---
title: Suspicious JAR Execution in User Directory
description: Detects execution of JAR files from user profile directories (Downloads, AppData, Desktop). Malware like QuimaRAT is often delivered as a standalone JAR file in these locations.
id: b3c4d5e6-7f8a-9b0c-1d2e-3f4a5b6c7d8e
status: experimental
references:
  - https://securityaffairs.com/195187/breaking-news/security-affairs-malware-newsletter-round-105.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1193
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\java.exe'
      - '\javaw.exe'
    CommandLine|contains: '.jar'
    CurrentDirectory|contains:
      - 'Downloads'
      - 'AppData\\Local'
      - 'AppData\\Roaming'
      - 'Desktop'
  condition: selection
falsepositives:
  - Users manually running portable Java applications
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for instances of the Java Runtime spawning command-line interfaces, a core behavior of QuimaRAT.

KQL — Microsoft Sentinel / Defender
// Hunt for Java-based RATs (QuimaRAT) spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for JAR files located in suspicious user directories, often the initial payload for QuimaRAT.

VQL — Velociraptor
-- Hunt for QuimaRAT payloads: JAR files in user directories
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/**/*")
WHERE FullName =~ '\.jar$'
  AND (FullPath =~ 'Downloads/' OR FullPath =~ 'AppData/Local/' OR FullPath =~ 'Desktop/' OR FullPath =~ 'AppData/Roaming/')
  AND NOT FullPath =~ '\\Windows\\'

Remediation Script (PowerShell)

Use this script to audit endpoints for the presence of suspicious JAR files in common user directories associated with QuimaRAT delivery.

PowerShell
<#
.SYNOPSIS
    Audit for suspicious JAR files (QuimaRAT Indicator).
.DESCRIPTION
    Scans user profiles for JAR files in Downloads, Desktop, and AppData.
#>

$SuspiciousPaths = @("Downloads", "Desktop", "AppData\Local", "AppData\Roaming")
$FoundThreats = @()

Get-ChildItem -Path "C:\Users" -Directory | ForEach-Object {
    $UserPath = $_.FullName
    foreach ($SubPath in $SuspiciousPaths) {
        $TargetPath = Join-Path -Path $UserPath -ChildPath $SubPath
        if (Test-Path $TargetPath) {
            $Jars = Get-ChildItem -Path $TargetPath -Filter "*.jar" -File -ErrorAction SilentlyContinue
            if ($Jars) {
                foreach ($Jar in $Jars) {
                    $Details = [PSCustomObject]@{
                        User = $_.Name
                        Path = $Jar.FullName
                        Size = $Jar.Length
                        Modified = $Jar.LastWriteTime
                    }
                    $FoundThreats += $Details
                }
            }
        }
    }
}

if ($FoundThreats.Count -gt 0) {
    Write-Host "[!] Potential QuimaRAT payloads found:" -ForegroundColor Red
    $FoundThreats | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious JAR files found in user directories." -ForegroundColor Green
}

Remediation

To effectively defend against QuimaRAT and BusySnake:

  1. Application Allowlisting: Implement strict allowlisting policies (e.g., AppLocker or Windows Defender Application Control) that block the execution of java.exe from user-writable directories (Downloads, Documents, Temp). Java should only run from approved program directories (e.g., C:\Program Files\Java\).

  2. JRE Hygiene: Ensure all systems are running the latest version of the Java Runtime Environment. Remove unnecessary JRE installations to reduce the attack surface. If Java is not required for business operations, uninstall it entirely.

  3. Email Filtering: Configure Secure Email Gateways (SEG) to block or sandbox attachments with .jar extensions. BusySnake and QuimaRAT often rely on social engineering via email.

  4. Browser Restrictions: To mitigate BusySnake and other stealers, enforce Enterprise Mode browser policies and disable password saving in browsers on managed endpoints to reduce the availability of credential files for theft.

  5. Network Segmentation: Monitor and restrict outbound traffic from endpoints to unknown IPs, specifically on non-standard ports often used for C2 by RATs like QuimaRAT.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchquimaratbusysnakejava-malwarestealeravalon

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.