LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
Key Takeaways A novel Rust-based remote access trojan (RAT) named LabubaRAT is actively targeting Windows systems. The malware disguises itself as legitimate NVIDIA Container Runtime Monitor...
Key Takeaways
- A novel Rust-based remote access trojan (RAT) named LabubaRAT is actively targeting Windows systems.
- The malware disguises itself as legitimate NVIDIA Container Runtime Monitor software, using fake metadata and file names.
- LabubaRAT provides attackers with extensive control over compromised machines, including command execution, file manipulation, and screenshot capabilities.
- Its modular design and configurable parameters suggest a potential Malware-as-a-Service (MaaS) offering.
New Rust-Based RAT, LabubaRAT, Leverages NVIDIA Masquerade for Windows Infiltration
A previously unobserved remote access tool (RAT), dubbed LabubaRAT, is actively exploiting Windows environments by impersonating NVIDIA software. This Rust-based implant grants attackers comprehensive control over compromised hosts, effectively blending into system operations through deceptive vendor metadata and runtime artifacts.
Table Of Content
Security researchers at Blackpoint Cyber’s Adversary Pursuit Group (APG) uncovered the sophisticated malware, which is distributed as nvidia-sysruntime.exe. Its design enables operators to maintain persistent, hands-on control over infected machines.
Deceptive Tactics and Technical Deep Dive
The 64-bit executable, despite being unsigned, presents itself as NVIDIA’s Container Runtime Monitor. It incorporates spoofed version details that reference NVIDIA Corporation and the NVIDIA Container Toolkit. This masquerade is further reinforced by the creation of a single-instance mutex, LocalNVIDIAContainerMonitor_SingleInstance, and a local SQLite database, nvctr_sys.db, used for storing enrollment data and managing runtime states.
However, forensic analysis reveals the malware’s true nature. Compile artifacts, including a PE timestamp dated June 17, 2026, and Rust build paths containing a “funt” user reference, contradict its supposed origin as legitimate NVIDIA software, exposing it as a malicious remote access framework.
For more in-depth forensic data, tactical indicators of compromise, and detailed infrastructure maps, LabubaRAT: A Rust-Based Remote Access Tool Masquerading as NVIDIA Software, Blackpoint Cyber said in its technical write-up.
Modular Design and C2 Infrastructure
Unlike many malware variants that rely on hardcoded command-and-control (C2) infrastructure, LabubaRAT exhibits a flexible configuration mechanism. It accepts runtime parameters via command-line arguments or environment variables prefixed with ZM_, allowing operators to define organizational targets, groups, C2 servers, and API keys at launch. A Base64-encoded –b parameter bundles these values, with APG observing a deployment using the organization “luxespa,” group “rabbit,” and C2 server pipicka[.]xyz.
This adaptable design suggests that a single compiled binary can support multiple campaigns or clients, indicative of a Malware-as-a-Service (MaaS) model. Embedded help text further supports this theory, featuring example group names such as “sauna” and “vip-chair.” This approach, characterized by multiple evasion profiles and flexible parameters, mirrors how contemporary threat actors leverage compromised software to rapidly establish footholds within corporate networks.
LabubaRAT employs three distinct communication methods to ensure resilient access to its C2 infrastructure: standard HTTPS polling using Rust libraries like reqwest and tokio, WebView2-based communication that emulates browser traffic via embedded JavaScript, and DNS tunneling with Base32-encoded payload chunking. This redundancy provides operators with persistent access even if one channel is detected or blocked.
Upon successful enrollment, the implant conducts host profiling, gathering details on hardware specifications, installed browsers, antivirus products, and domain information, then awaits operator commands. Supported functionalities include arbitrary shell and PowerShell execution, JavaScript execution via Windows Script Host, screenshot capture using GDI APIs, file upload/download, archive manipulation, and SOCKS5 proxy relaying. Persistence at the user level is achieved through an HKCU Run key, configurable via –install and –uninstall flags. These robust execution capabilities enable operators to quickly enumerate high-value networks through malicious automation scripts.
The malware’s name originates from its C2 panel, which prominently displays a “LabubaPanel” title and a Labubu-themed favicon. By analyzing this panel structure, APG identified three additional C2 IP addresses hosted on German infrastructure, all becoming active since early June 2026, aligning with the sample’s compile date and suggesting a coordinated rollout.
What You Should Do
- Actively hunt for unsigned binaries that claim to be NVIDIA software on your Windows systems.
- Scrutinize Base64-encoded command-line arguments associated with autorun entries, as these are often used by LabubaRAT.
- Search for the presence of
nvctr_sys.dbartifacts, which indicate LabubaRAT’s local storage. - Monitor outbound network traffic for browser-spoofed User-Agents combined with bearer authentication, WebView2 requests, or high-entropy DNS queries, which can signal LabubaRAT activity.
- Implement robust endpoint detection and response (EDR) solutions to identify and block suspicious processes and network connections.
- Regularly update operating systems, applications, and security software to patch known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.