LevelBlue researchers uncovered QuimaRAT, a Java-based remote access trojan distributed as malware-as-a-service. The threat runs across Windows, Linux, and macOS, expanding attack surface for operators targeting mixed IT environments.

QuimaRAT operates under a tiered subscription model. One-month access costs $150, three-month plans run $300, and lifetime licenses reach $1,200. This pricing structure lowers barriers for threat actors without development resources, democratizing RAT deployment across skill levels.

The malware's Java foundation provides inherent cross-platform capability. Java bytecode executes on any system with a compatible runtime, allowing operators to deploy identical payloads across heterogeneous networks. This approach simplifies campaign management and reduces development overhead compared to maintaining separate native binaries.

The MaaS distribution channel indicates organized criminal infrastructure. Rather than selling the tool outright, operators maintain control through subscription licensing. This model generates recurring revenue, ensures customer retention, and allows operators to push updates and new capabilities to active subscribers. It mirrors legitimate software distribution but weaponizes the approach for malicious purposes.

Organizations face layered risk from QuimaRAT deployment. Linux servers prove particularly attractive targets given their prevalence in cloud and on-premises infrastructure. macOS systems running in creative and development sectors represent secondary targets. Windows remains the largest installed base. RAT functionality typically includes file exfiltration, command execution, screen capture, and lateral movement facilitation.

Detection presents challenges. Java-based malware often evades signature-based detection due to runtime compilation and obfuscation techniques. Network indicators may blend into legitimate Java application traffic. Behavioral monitoring becomes essential for identification.

Mitigation requires multi-layered defense. Organizations should restrict Java application execution on endpoints, implement network segmentation isolating critical systems, monitor outbound connections from Java processes, and