VYPR
researchPublished Jul 14, 2026· 1 source

LabubaRAT Malware Poses as NVIDIA Software to Compromise Windows Systems

A new Rust-based remote access trojan, LabubaRAT, is being distributed by threat actors who disguise it as NVIDIA software to evade detection and gain persistent access to Windows hosts.

A sophisticated new remote access trojan (RAT) written in Rust, identified as LabubaRAT, has emerged, employing a deceptive tactic by masquerading as legitimate NVIDIA software. This allows the malware to blend seamlessly into target environments, making it harder for security solutions to detect its presence.

Researchers from Blackpoint Cyber have detailed LabubaRAT's capabilities, noting that it establishes a persistent foothold on compromised Windows systems. Once deployed, the RAT is capable of profiling the host, identifying installed security tools, receiving commands from its operators, exfiltrating files, capturing screenshots, and even proxying network traffic through the infected machine. This comprehensive functionality makes it a versatile tool for hands-on post-exploitation activities.

The malware's command-and-control (C2) infrastructure is branded with "LabubaPanel" and features a Labubu-themed favicon, providing the clearest external naming clue. However, the underlying technical architecture is more significant: a framework-like RAT built in Rust, designed for flexible configuration, enrollment, and operation across multiple campaigns.

Attackers initiate the infection chain with an executable named "nvidia-sysruntime.exe," which mimics NVIDIA's container runtime toolkit. Crucially, LabubaRAT does not hard-code its C2 server details. Instead, it accepts configuration parameters, such as the server address (e.g., "pipicka[.]xyz") and the polling interval, via command-line arguments. This design choice allows a single compiled binary to be reused across different infrastructure setups, organizations, or campaign groupings without recompilation.

These configuration parameters are stored locally in an SQLite database. Following this, LabubaRAT performs extensive discovery operations. It inventories installed web browsers and security products, specifically checking for popular solutions like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Microsoft Defender, CrowdStrike, SentinelOne, and many others. It also gathers system information such as the hostname, RAM size, CPU model, and the status of User Account Control (UAC) to tailor its subsequent actions based on the system's security posture.

LabubaRAT's functional repertoire is extensive, supporting a wide array of malicious operations. These include arbitrary command execution, PowerShell and JavaScript execution, screenshot capture, file upload and download capabilities, archive handling, and SOCKS5 proxy support. This broad set of features empowers attackers to interact deeply with the compromised host, manage files, route traffic, and maintain access without needing separate tools for each task.

Furthermore, LabubaRAT supports multiple communication channels, including HTTPS, WebView2, and DNS tunneling. This redundancy in communication methods enhances its resilience, allowing attackers to maintain access even if one communication pathway is detected and blocked. Evidence suggests that LabubaRAT may be offered as a Malware-as-a-Service (MaaS), indicating its availability to a wider range of threat actors.

The combination of runtime configuration, local state management, host profiling, diverse communication paths, and operator tasking makes LabubaRAT a potent and adaptable remote access tool. Its framework-like structure and Rust-based development point to a modern, modular approach to malware design, enabling operators to efficiently enroll hosts, understand their environments, and execute a wide range of commands and actions.

Synthesized by Vypr AI