Back to Intelligence

QuimaRAT Java-Based MaaS: Cross-Platform Detection and Defense

SA
Security Arsenal Team
July 6, 2026
6 min read

The commoditization of cybercrime continues to accelerate with the emergence of QuimaRAT, a new Java-based Remote Access Trojan (RAT) available via a Malware-as-a-Service (MaaS) model. As reported by LevelBlue, this threat actor is advertising access for as little as $150/month, significantly lowering the barrier to entry for attackers seeking to establish footholds across diverse operating environments.

What sets QuimaRAT apart is its reliance on the Java Runtime Environment (JRE) to achieve true cross-platform capabilities, targeting Windows, Linux, and macOS simultaneously. For defenders, this represents a shift in the threat landscape: traditional OS-specific indicators of compromise (IOCs) are less effective when the malware core is platform-agnostic. This post provides the technical depth required to hunt QuimaRAT across your enterprise, leveraging behavioral detection rather than static signatures.

Technical Analysis

Platform and Delivery

QuimaRAT is a pure Java application, typically delivered as a compiled JAR file or wrapped in a platform-specific executable (e.g., an .exe on Windows utilizing a wrapper like Launch4j) to camouflage its nature.

  • Affected Platforms: Windows, Linux, macOS.
  • Attack Vector: Initial access vectors likely follow standard MaaS operations: phishing emails with malicious attachments, drive-by downloads, or bundling with cracked software.
  • Execution: The malware requires the Java Runtime Environment (JRE). Upon execution, it spawns a java.exe (or javaw.exe on Windows) process which loads the malicious JAR into memory.

Behavior and Capabilities

As a commercial RAT, QuimaRAT includes standard features expected in 2026 MaaS offerings:

  • Remote Shell: Allows attackers to execute system commands.
  • Data Exfiltration: File system enumeration and upload.
  • Persistence: likely achieved through creating platform-specific scheduled tasks or launch agents that invoke the Java binary.
  • C2 Communication: While specific C2 domains vary per buyer, the traffic originates from a Java process, bypassing some legacy network controls that whitelist standard browsers but overlook utility binaries.

Exploitation Status

QuimaRAT is currently active and available for purchase. There is no CVE associated with this threat as it is malware functionality rather than a software vulnerability. The risk stems from the lack of patches—defenders cannot "fix" a user running a malicious JAR file; they must detect and block the execution behavior.

Detection & Response

Detecting Java-based malware is notoriously noisy due to the prevalence of development tools and legitimate business applications. To avoid alert fatigue, the following rules focus on the context of execution—specifically, Java processes spawning from user-writable directories or initiating network connections without a legitimate parent process.

SIGMA Rules

YAML
---
title: Potential Java Malware Execution from User Directory
id: 85d9b3e1-4a2c-4f3d-9e1a-2b4c5d6e7f8a
status: experimental
description: Detects java.exe or javaw.exe executing a JAR file from a user-writable directory (AppData, Downloads, /tmp), a common TTP for cross-platform RATs like QuimaRAT.
references:
  - https://attack.mitre.org/techniques/T1059/005
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.005
  - attack.initial_access
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\java.exe'
      - '\javaw.exe'
    CommandLine|contains:
      - '-jar'
  filter_paths:
    CommandLine|contains:
      - 'Program Files'
      - 'Program Files (x86)'
      - '\AppData\Local\Temp\' # Exclude temp installers if necessary, but monitor closely
  suspicious_paths:
    CommandLine|contains:
      - '\AppData\Roaming\'
      - '\AppData\Local\'
      - '\Downloads\'
  condition: selection and suspicious_paths and not filter_paths
falsepositives:
  - Legitimate user-run Java applications stored in user profiles
  - Local development testing
level: medium
---
title: Linux/macOS Java Spawning Shell from Suspicious Path
id: 92a1c8d3-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the Java binary on Linux/macOS executing shell commands or spawning processes when the JAR originated from user-writable locations like /tmp or /Downloads.
references:
  - https://attack.mitre.org/techniques/T1059/004
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_java:
    Image|endswith: '/java'
    CommandLine|contains: '-jar'
  selection_path:
    CommandLine|contains:
      - '/tmp/'
      - '/home/'
      - '/Users/'
  selection_action:
    ParentCommandLine|contains: '-jar' # Java jar spawned a child process (sh/bash)
  condition: selection_java and selection_path and selection_action
falsepositives:
  - Developer testing from home directories
level: high

KQL (Microsoft Sentinel)

This query hunts for Windows endpoints where the Java Runtime is executing JAR files from high-risk directories. It correlates process creation with network connections to identify potential C2 activity.

KQL — Microsoft Sentinel / Defender
// Hunt for QuimaRAT execution patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("java.exe", "javaw.exe")
| where ProcessCommandLine has "-jar"
// Exclude standard program files directories to reduce noise from legitimate installs
| where not(ProcessCommandLine has @"Program Files" or ProcessCommandLine has @"Program Files (x86)")
// Focus on user-writable directories
| where ProcessCommandLine has @"Downloads" or ProcessCommandLine has @"AppData"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
) on DeviceName, Timestamp
| distinct Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteUrl, RemoteIP, RemotePort

Velociraptor VQL

This VQL artifact hunts for running Java processes that exhibit characteristics of QuimaRAT, specifically looking for JAR execution arguments.

VQL — Velociraptor
-- Hunt for suspicious Java process execution
SELECT Pid, Ppid, Name, Exe, Cmdline, Username, Ctime
FROM pslist()
WHERE Name =~ "java"
  AND Cmdline =~ "-jar"
  AND (Cmdline =~ "AppData" OR Cmdline =~ "Downloads" OR Cmdline =~ "/tmp" OR Cmdline =~ "/Users/")
  AND Username != "root"

Remediation Script (PowerShell)

This script scans common user directories for JAR files created or modified within the last 7 days—a typical footprint for QuimaRAT droppers—and lists them for forensic review. It does not automatically delete files to avoid disrupting legitimate business Java apps, but it isolates the artifacts.

PowerShell
<#
.SYNOPSIS
    QuimaRAT Artifact Hunter
.DESCRIPTION
    Scans user profiles for suspicious JAR files in writable directories.
#>

$DaysToScan = 7
$SuspiciousPaths = @("Downloads", "AppData\Roaming", "AppData\Local", "Desktop")

Write-Host "[+] Scanning for recent JAR files in user profiles..."

Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue -Include "*.jar" | 
Where-Object { 
    $_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToScan) -and 
    ($_.Directory.Name -in $SuspiciousPaths -or $_.FullName -match "AppData") 
} | 
Select-Object FullName, LastWriteTime, Length, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} | 
Format-Table -AutoSize

Write-Host "[!] Review the listed files. Validate signatures and investigate origin."


# Remediation

Since QuimaRAT is malware delivered via user action or social engineering rather than a software vulnerability, "patching" involves behavioral restrictions and user awareness.

  1. Application Allowlisting:

    • Implement strict AppLocker (Windows) or equivalent policies on Linux/macOS to prevent the execution of JAR files from %AppData%, %UserProfile%\Downloads, and /tmp.
    • Only allow signed Java applications to execute, and ensure the signature chain is trusted.
  2. Java Configuration Hardening:

    • Deploy the deployment.security.level setting to HIGH or VERY_HIGH in the Java deployment properties across the enterprise to prompt users before running unsigned or self-signed applications.
  3. Network Segmentation:

    • Restrict internet access for systems that do not require it. For systems requiring Java, limit outbound connectivity from java.exe/javaw.exe to specific, necessary internal repositories or trusted update servers only.
  4. User Awareness Training:

    • Educate users about the risks of downloading "cracked" software or unexpected attachments that result in JAR files. QuimaRAT relies on the user bypassing security warnings to run the code.
  5. Endpoint Detection and Response (EDR):

    • Tune EDR policies to alert on unsigned Java processes attempting to establish network connections or spawning child processes (like cmd.exe, powershell.exe, or /bin/sh).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionquimaratjava-malwaremaascross-platform-threatrat-detection

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.