Novel Java-based trojan QuimaRAT is targeting Macs: Header image
Emerging Threats 7 min read

Novel Java-based trojan QuimaRAT is targeting Macs

Published:Jul 17, 2026

A new malware capable of breaching and remotely controlling Mac computers has surfaced on the dark web. The malware, which sells at a price starting at just $150 a month, can be used as spyware and surveillance or as a stealer. It can manipulate and steal your files, access your camera and microphone, steal your passwords and data, and steal your crypto.

Let’s dive in to understand why you should care and what you can do to keep safe. 

Meet Quima: All-in-one Mac malware that sells for cheap on the dark web

Quima is a modern remote access trojan (RAT) with sophisticated capabilities. Analyzed by Level Blue in a recent report, this malware can breach devices and operate on Mac, Windows, and Linux computers. 

article snippet with Moonlock logo

Protect your Mac from QuimaRAT and other malware

Moonlock monitors your Mac 24/7 to spot and block any malware, including trojans like QuimaRAT. And if you notice odd symptoms, you can run a deep malware scan to see what’s causing them.
try 7 days free

The malware is being advertised online on dark web forums as a malware-as-a-service product. The developer behind this malware is also advertising it on GitHub.

On GitHub, the developer added a disclosure note claiming Quima is for “authorized security professionals, penetration testers, and system administrators” and that the project is provided for educational and authorized use only. However, dark web advertising targets a different type of customer. 

Screenshot of a QuimaRAT ad on the dark web, shared by Level Blue.
This QuimaRAT ad was spread on the dark web, as shared in the Level Blue report. Image: Screenshot, Moonlock.

Why should you care about Quima?

The starting price of QuimaRAT, just $150 for 1 month with all modules operational, is extremely low.

Mac stealers like MacSync, for example, sell for $1,500 per month, while other stealers, like AMOS, have higher price tags of $3,000. Quima’s low price is, therefore, a matter of concern because this malware can do a lot more than what a typical Mac stealer can do, for a lower price. 

On the plus side for Mac users, operating Quima does appear to require more technical knowledge, so while the malware could become widely available among cybercriminal groups, mastering its use could prove a bit tricky. 

Beyond the technical skills that this type of advanced RAT malware requires, Quima’s features are vast. It can access your web cams, search, manipulate, and extract your files, and grab data from your clipboard. The operator using Quima can even display messages on the computers it has breached, placing the message right on top of all the windows a user might have open—a scary function. 

Additionally, Quima can open your browser, steal your passwords and credentials, and harvest browser data. Plus, it has crypto theft capabilities. It can also erase itself, evade detection, and set up shop on your Mac (establish persistency). 

Quima does all this through a sophisticated C2 backdoor communication channel. The channel is encrypted and resilient, coded to check its status and remain operational. Quima can also sniff out networks. 

Dark web ads for Quima highlight the malware as having 70 modules, offering AES-256 encryption and being FUD (fully undetectable).  

Beyond the $150 price tag for a 1-month subscription, QuimaRAT prices are $300 for 3 months, $500 for 6 months, $700 for 12 months, and $1,200 for lifetime access.

A screenshot of a dark web pricing ad for Quima.
The pricing for Quima, as advertised on the dark web and shared in the Level Blue report. Image: Screenshot, Moonlock.

Quima is also under development. Level Blue notes that they observed 23 implemented commands and 212 protocol-only commands. This “indicates that the actor can likely expand functionality through runtime modules, uploaded binaries, or fileless payloads,” Level Blue said. 

Operators using Quima can also download additional payloads on a breached Mac and execute them, as well as install plugins. Basically, Quima, unlike legacy RAT malware, is a one-stop-shop malware that can “do it all.” How efficient it is in action is yet to be documented.   

In a nutshell: Here’s what Quima can do

Quima’s capabilities, as listed on the dark web, include:

  • Surveillance: It captures keystrokes and saves, takes screenshots at set intervals, accesses webcams and microphones, allows the viewing of the user’s webcam, enables reverse microphone functions (listen and record), and monitors which applications are actively used.
  • Recovery: It recovers deleted files from the system, retrieves saved passwords from browsers, and retrieves system information like OS, software version, etc. 
  • System: It allows management of active processes.
  • Network: It monitors network traffic for sensitive data and scans open ports on the machine. 
  • Offensive: It remotely executes commands, including shell commands. 
  • Evasion: It comes with anti-virtual machine and sandbox detection. Its code is obfuscated to challenge analysis and detection.
  • Platform support: It works on Windows, macOS, and Linux.
Screenshot of Quima advertised on GitHub.
Quima is advertising on GitHub. No code repository is shown. Image: Screenshot, Moonlock.

Vanishing without a trace

On macOS, in order to vanish from Mac computers it has breached, Quima unloads and removes the LaunchAgent:

• launchctl unload -w ~/Library/LaunchAgents/com.igmcyuewny.plist

It also deletes the installed RAT file from:

• ~/.local/share/LHQhVxufHZ/rLxqbosgrfBv.txt

If that fails, the malware logs “[CoreActions] persistence uninstall failed: <ERROR>.”

“After the removal routine is completed, the RAT closes the active C2 communication channel and terminates its process using System.exit(0),” Level Blue’s analysis reads. 

The malware can also execute other malware payloads using a built-in DOWNLOAD_EXECUTE command. 

Besides these capabilities, the full technical report on Level Blue describes several others. This means the ones mentioned in this report are far from being the full picture of what QuimaRAT can do. 

It is unclear why the developer named this malware “Quima.” It could simply be for dark web branding reasons, or perhaps it’s a reference to Quimera—a mythical creature, often shown as a hybrid of different animals, such as a lion with a goat’s head and a serpent’s tail. Given what this malware can do, this term appears appropriate.  

So, what can you do about modern Mac RAT malware like Quima?

Quima’s features are impressive and include functions to launch all types of cyberattacks. Despite this advanced sophistication, the same general rules of cybersecurity that keep you safe from any other type of malware apply: Level up your tech stack and build your cybersecurity awareness. 

If your Mac is acting up, scan it for malware

Modern RATs can cause your computer to act up. Red flags to watch out for include slow internet connectivity, glitches, strange or unknown files, security system warnings, and other things that break away from how your Mac “normally” behaves on a daily basis. If your Mac is acting up, scan it for malware using a respected and trusted Mac antivirus. 

Get Moonlock. It will flag and shut down threats trying to breach your Mac before they can do harm.

The Moonlock antivirus for Mac was developed to offer you layers of protection that help keep your Mac safe. Through the Malware Scanner and Real-Time Protection tools, Moonlock will keep your Mac clear of malware. The app’s malware database is constantly updated to keep up with new threats and new, emerging malware.

Screenshot of the the Moonlock app user interface.
The Moonlock app. Image: Screenshot, Moonlock.

To build even more layers of security, Moonlock ships with a built-in Scam Detector that will flag phishing in any email or text message and a VPN. The Moonlock app can also scan your Mac’s security settings and guide you on how to turn those up and, through the Security Advisor, offer tips to build safe digital habits at your own pace.

You can check out and test-drive Moonlock for free for 7 days.

Watch out for lures and social engineering

Malware like Quima still needs an access route to breach your computer. This means that threat actors need to trick you in some way to install it. Watch out for phishing emails, texts, online ads, fake sites, shady downloads, or sketchy apps. 

Keep your secrets and crypto safe, and keep your browser’s digital surface to a minimum

Storing your most sensitive data in locked folders, keeping your crypto wallet off your Mac and on a separate device protected with biometrics, and storing only the essential data you need on your browser will not prevent a hack, but it will minimize the damage if one occurs. 

Final thoughts

It’s not every day that malware like Quima emerges on the dark web. With a low price tag, this RAT is undoubtedly already in the hands of several cybercriminal groups. While operating a RAT like Quima may require more advanced skills than running a more user-friendly Mac stealer, the threat is still out there.

Fortunately, there are still many things you can do to stay safe. Follow the tips in this report and continue learning about how your tech works to live a calmer and safer digital experience.  

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.

MoonLock Banner
Ray Fernandez

Ray Fernandez

Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.