Introduction
The latest Security Affairs Malicious Software Newsletter (Round 105) highlights a disturbing evolution in threat actor capabilities, specifically the emergence of QuimaRAT, a novel Java-based Remote Access Trojan (RAT), and the BusySnake stealer campaign linked to the "Armored Likho" operation.
For defenders, the QuimaRAT development is particularly alarming. By leveraging the Java Runtime Environment (JRE), threat actors have achieved true "write-once, run-anywhere" malware that targets Windows, macOS, and Linux simultaneously. This effectively bypasses many OS-specific security controls that rely on binary signatures or API hooking. Concurrently, the Avalon group's pivot toward "Vibe Coded Extortion" using CrownX ransomware capabilities and the BusySnake stealer indicates a aggressive shift toward credential harvesting and double-extortion tactics.
This post provides actionable intelligence to detect these cross-platform threats and harden your environment against Java-based payloads and modern stealers.
Technical Analysis
QuimaRAT: The Cross-Platform Threat
QuimaRAT represents a significant shift in malware development. Unlike traditional RATs compiled for specific operating systems, QuimaRAT is written in Java.
- Affected Platforms: Windows, macOS, Linux.
- Vector: Typically delivered via phishing emails or malicious downloads (JAR files).
- Mechanism: The malware executes within the JRE. It establishes a Command & Control (C2) channel and can execute shell commands, upload/download files, and perform system reconnaissance regardless of the underlying OS.
- Evasion: Java binaries often appear as legitimate development tools or utilities, allowing them to bypass basic application whitelisting that focuses on
.exeor.dllfiles. Furthermore, the JRE process (java.exeorjavaw.exe) spawning child shells is a key TTP to monitor.
BusySnake & Avalon: Credential Theft and Ransomware
The BusySnake campaign, associated with the "Armored Likho" threat actor, focuses on information stealing. The newsletter notes its connection to Avalon's evolution into CrownX ransomware capabilities.
- Functionality: BusySnake acts as a stealer, targeting browser credentials, cryptocurrency wallets, and session tokens.
- Execution: These campaigns often utilize "legal lures"—malicious documents posing as legal notices or invoices—to trick users into enabling macros or executing scripts.
- Impact: Successful deployment leads to immediate credential compromise (facilitating lateral movement) and potential ransomware deployment via CrownX.
Detection & Response
Given the cross-platform nature of QuimaRAT and the stealthy behavior of BusySnake, detection requires a focus on process lineage and file anomalies rather than static signatures alone.
SIGMA Rules
---
title: QuimaRAT Java Spawning Shell
id: 8a2f3c11-9b4d-4e5f-a1b2-3c4d5e6f7a8b
status: experimental
description: Detects Java Runtime (java.exe, javaw.exe) spawning cmd.exe, powershell.exe, or bash. This is a high-fidelity indicator of Java-based malware like QuimaRAT attempting to execute system commands.
references:
- https://securityaffairs.com/195187/breaking-news/security-affairs-malware-newsletter-round-105.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate Java developers running build scripts or IDE tools
level: high
---
title: Suspicious JAR Execution in User Directory
description: Detects execution of JAR files from user profile directories (Downloads, AppData, Desktop). Malware like QuimaRAT is often delivered as a standalone JAR file in these locations.
id: b3c4d5e6-7f8a-9b0c-1d2e-3f4a5b6c7d8e
status: experimental
references:
- https://securityaffairs.com/195187/breaking-news/security-affairs-malware-newsletter-round-105.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1193
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains: '.jar'
CurrentDirectory|contains:
- 'Downloads'
- 'AppData\\Local'
- 'AppData\\Roaming'
- 'Desktop'
condition: selection
falsepositives:
- Users manually running portable Java applications
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for instances of the Java Runtime spawning command-line interfaces, a core behavior of QuimaRAT.
// Hunt for Java-based RATs (QuimaRAT) spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for JAR files located in suspicious user directories, often the initial payload for QuimaRAT.
-- Hunt for QuimaRAT payloads: JAR files in user directories
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/**/*")
WHERE FullName =~ '\.jar$'
AND (FullPath =~ 'Downloads/' OR FullPath =~ 'AppData/Local/' OR FullPath =~ 'Desktop/' OR FullPath =~ 'AppData/Roaming/')
AND NOT FullPath =~ '\\Windows\\'
Remediation Script (PowerShell)
Use this script to audit endpoints for the presence of suspicious JAR files in common user directories associated with QuimaRAT delivery.
<#
.SYNOPSIS
Audit for suspicious JAR files (QuimaRAT Indicator).
.DESCRIPTION
Scans user profiles for JAR files in Downloads, Desktop, and AppData.
#>
$SuspiciousPaths = @("Downloads", "Desktop", "AppData\Local", "AppData\Roaming")
$FoundThreats = @()
Get-ChildItem -Path "C:\Users" -Directory | ForEach-Object {
$UserPath = $_.FullName
foreach ($SubPath in $SuspiciousPaths) {
$TargetPath = Join-Path -Path $UserPath -ChildPath $SubPath
if (Test-Path $TargetPath) {
$Jars = Get-ChildItem -Path $TargetPath -Filter "*.jar" -File -ErrorAction SilentlyContinue
if ($Jars) {
foreach ($Jar in $Jars) {
$Details = [PSCustomObject]@{
User = $_.Name
Path = $Jar.FullName
Size = $Jar.Length
Modified = $Jar.LastWriteTime
}
$FoundThreats += $Details
}
}
}
}
}
if ($FoundThreats.Count -gt 0) {
Write-Host "[!] Potential QuimaRAT payloads found:" -ForegroundColor Red
$FoundThreats | Format-Table -AutoSize
} else {
Write-Host "[+] No suspicious JAR files found in user directories." -ForegroundColor Green
}
Remediation
To effectively defend against QuimaRAT and BusySnake:
-
Application Allowlisting: Implement strict allowlisting policies (e.g., AppLocker or Windows Defender Application Control) that block the execution of
java.exefrom user-writable directories (Downloads, Documents, Temp). Java should only run from approved program directories (e.g.,C:\Program Files\Java\). -
JRE Hygiene: Ensure all systems are running the latest version of the Java Runtime Environment. Remove unnecessary JRE installations to reduce the attack surface. If Java is not required for business operations, uninstall it entirely.
-
Email Filtering: Configure Secure Email Gateways (SEG) to block or sandbox attachments with
.jarextensions. BusySnake and QuimaRAT often rely on social engineering via email. -
Browser Restrictions: To mitigate BusySnake and other stealers, enforce Enterprise Mode browser policies and disable password saving in browsers on managed endpoints to reduce the availability of credential files for theft.
-
Network Segmentation: Monitor and restrict outbound traffic from endpoints to unknown IPs, specifically on non-standard ports often used for C2 by RATs like QuimaRAT.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.