The commoditization of cybercrime continues to accelerate with the emergence of QuimaRAT, a new Java-based Remote Access Trojan (RAT) available via a Malware-as-a-Service (MaaS) model. As reported by LevelBlue, this threat actor is advertising access for as little as $150/month, significantly lowering the barrier to entry for attackers seeking to establish footholds across diverse operating environments.
What sets QuimaRAT apart is its reliance on the Java Runtime Environment (JRE) to achieve true cross-platform capabilities, targeting Windows, Linux, and macOS simultaneously. For defenders, this represents a shift in the threat landscape: traditional OS-specific indicators of compromise (IOCs) are less effective when the malware core is platform-agnostic. This post provides the technical depth required to hunt QuimaRAT across your enterprise, leveraging behavioral detection rather than static signatures.
Technical Analysis
Platform and Delivery
QuimaRAT is a pure Java application, typically delivered as a compiled JAR file or wrapped in a platform-specific executable (e.g., an .exe on Windows utilizing a wrapper like Launch4j) to camouflage its nature.
- Affected Platforms: Windows, Linux, macOS.
- Attack Vector: Initial access vectors likely follow standard MaaS operations: phishing emails with malicious attachments, drive-by downloads, or bundling with cracked software.
- Execution: The malware requires the Java Runtime Environment (JRE). Upon execution, it spawns a
java.exe(orjavaw.exeon Windows) process which loads the malicious JAR into memory.
Behavior and Capabilities
As a commercial RAT, QuimaRAT includes standard features expected in 2026 MaaS offerings:
- Remote Shell: Allows attackers to execute system commands.
- Data Exfiltration: File system enumeration and upload.
- Persistence: likely achieved through creating platform-specific scheduled tasks or launch agents that invoke the Java binary.
- C2 Communication: While specific C2 domains vary per buyer, the traffic originates from a Java process, bypassing some legacy network controls that whitelist standard browsers but overlook utility binaries.
Exploitation Status
QuimaRAT is currently active and available for purchase. There is no CVE associated with this threat as it is malware functionality rather than a software vulnerability. The risk stems from the lack of patches—defenders cannot "fix" a user running a malicious JAR file; they must detect and block the execution behavior.
Detection & Response
Detecting Java-based malware is notoriously noisy due to the prevalence of development tools and legitimate business applications. To avoid alert fatigue, the following rules focus on the context of execution—specifically, Java processes spawning from user-writable directories or initiating network connections without a legitimate parent process.
SIGMA Rules
---
title: Potential Java Malware Execution from User Directory
id: 85d9b3e1-4a2c-4f3d-9e1a-2b4c5d6e7f8a
status: experimental
description: Detects java.exe or javaw.exe executing a JAR file from a user-writable directory (AppData, Downloads, /tmp), a common TTP for cross-platform RATs like QuimaRAT.
references:
- https://attack.mitre.org/techniques/T1059/005
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.005
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- '-jar'
filter_paths:
CommandLine|contains:
- 'Program Files'
- 'Program Files (x86)'
- '\AppData\Local\Temp\' # Exclude temp installers if necessary, but monitor closely
suspicious_paths:
CommandLine|contains:
- '\AppData\Roaming\'
- '\AppData\Local\'
- '\Downloads\'
condition: selection and suspicious_paths and not filter_paths
falsepositives:
- Legitimate user-run Java applications stored in user profiles
- Local development testing
level: medium
---
title: Linux/macOS Java Spawning Shell from Suspicious Path
id: 92a1c8d3-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the Java binary on Linux/macOS executing shell commands or spawning processes when the JAR originated from user-writable locations like /tmp or /Downloads.
references:
- https://attack.mitre.org/techniques/T1059/004
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_java:
Image|endswith: '/java'
CommandLine|contains: '-jar'
selection_path:
CommandLine|contains:
- '/tmp/'
- '/home/'
- '/Users/'
selection_action:
ParentCommandLine|contains: '-jar' # Java jar spawned a child process (sh/bash)
condition: selection_java and selection_path and selection_action
falsepositives:
- Developer testing from home directories
level: high
KQL (Microsoft Sentinel)
This query hunts for Windows endpoints where the Java Runtime is executing JAR files from high-risk directories. It correlates process creation with network connections to identify potential C2 activity.
// Hunt for QuimaRAT execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("java.exe", "javaw.exe")
| where ProcessCommandLine has "-jar"
// Exclude standard program files directories to reduce noise from legitimate installs
| where not(ProcessCommandLine has @"Program Files" or ProcessCommandLine has @"Program Files (x86)")
// Focus on user-writable directories
| where ProcessCommandLine has @"Downloads" or ProcessCommandLine has @"AppData"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
) on DeviceName, Timestamp
| distinct Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
Velociraptor VQL
This VQL artifact hunts for running Java processes that exhibit characteristics of QuimaRAT, specifically looking for JAR execution arguments.
-- Hunt for suspicious Java process execution
SELECT Pid, Ppid, Name, Exe, Cmdline, Username, Ctime
FROM pslist()
WHERE Name =~ "java"
AND Cmdline =~ "-jar"
AND (Cmdline =~ "AppData" OR Cmdline =~ "Downloads" OR Cmdline =~ "/tmp" OR Cmdline =~ "/Users/")
AND Username != "root"
Remediation Script (PowerShell)
This script scans common user directories for JAR files created or modified within the last 7 days—a typical footprint for QuimaRAT droppers—and lists them for forensic review. It does not automatically delete files to avoid disrupting legitimate business Java apps, but it isolates the artifacts.
<#
.SYNOPSIS
QuimaRAT Artifact Hunter
.DESCRIPTION
Scans user profiles for suspicious JAR files in writable directories.
#>
$DaysToScan = 7
$SuspiciousPaths = @("Downloads", "AppData\Roaming", "AppData\Local", "Desktop")
Write-Host "[+] Scanning for recent JAR files in user profiles..."
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue -Include "*.jar" |
Where-Object {
$_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToScan) -and
($_.Directory.Name -in $SuspiciousPaths -or $_.FullName -match "AppData")
} |
Select-Object FullName, LastWriteTime, Length, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} |
Format-Table -AutoSize
Write-Host "[!] Review the listed files. Validate signatures and investigate origin."
# Remediation
Since QuimaRAT is malware delivered via user action or social engineering rather than a software vulnerability, "patching" involves behavioral restrictions and user awareness.
-
Application Allowlisting:
- Implement strict AppLocker (Windows) or equivalent policies on Linux/macOS to prevent the execution of JAR files from
%AppData%,%UserProfile%\Downloads, and/tmp. - Only allow signed Java applications to execute, and ensure the signature chain is trusted.
- Implement strict AppLocker (Windows) or equivalent policies on Linux/macOS to prevent the execution of JAR files from
-
Java Configuration Hardening:
- Deploy the
deployment.security.levelsetting toHIGHorVERY_HIGHin the Java deployment properties across the enterprise to prompt users before running unsigned or self-signed applications.
- Deploy the
-
Network Segmentation:
- Restrict internet access for systems that do not require it. For systems requiring Java, limit outbound connectivity from
java.exe/javaw.exeto specific, necessary internal repositories or trusted update servers only.
- Restrict internet access for systems that do not require it. For systems requiring Java, limit outbound connectivity from
-
User Awareness Training:
- Educate users about the risks of downloading "cracked" software or unexpected attachments that result in JAR files. QuimaRAT relies on the user bypassing security warnings to run the code.
-
Endpoint Detection and Response (EDR):
- Tune EDR policies to alert on unsigned Java processes attempting to establish network connections or spawning child processes (like
cmd.exe,powershell.exe, or/bin/sh).
- Tune EDR policies to alert on unsigned Java processes attempting to establish network connections or spawning child processes (like
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.