Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
Home/CyberSecurity News/LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
CyberSecurity News

LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems

Key Takeaways A novel Rust-based remote access trojan (RAT) named LabubaRAT is actively targeting Windows systems. The malware disguises itself as legitimate NVIDIA Container Runtime Monitor...

David kimber
David kimber
July 15, 2026 3 Min Read
4 0

Key Takeaways

  • A novel Rust-based remote access trojan (RAT) named LabubaRAT is actively targeting Windows systems.
  • The malware disguises itself as legitimate NVIDIA Container Runtime Monitor software, using fake metadata and file names.
  • LabubaRAT provides attackers with extensive control over compromised machines, including command execution, file manipulation, and screenshot capabilities.
  • Its modular design and configurable parameters suggest a potential Malware-as-a-Service (MaaS) offering.

New Rust-Based RAT, LabubaRAT, Leverages NVIDIA Masquerade for Windows Infiltration

A previously unobserved remote access tool (RAT), dubbed LabubaRAT, is actively exploiting Windows environments by impersonating NVIDIA software. This Rust-based implant grants attackers comprehensive control over compromised hosts, effectively blending into system operations through deceptive vendor metadata and runtime artifacts.

Table Of Content

  • Key Takeaways
  • New Rust-Based RAT, LabubaRAT, Leverages NVIDIA Masquerade for Windows Infiltration
  • Deceptive Tactics and Technical Deep Dive
  • Modular Design and C2 Infrastructure
  • What You Should Do

Security researchers at Blackpoint Cyber’s Adversary Pursuit Group (APG) uncovered the sophisticated malware, which is distributed as nvidia-sysruntime.exe. Its design enables operators to maintain persistent, hands-on control over infected machines.

Deceptive Tactics and Technical Deep Dive

The 64-bit executable, despite being unsigned, presents itself as NVIDIA’s Container Runtime Monitor. It incorporates spoofed version details that reference NVIDIA Corporation and the NVIDIA Container Toolkit. This masquerade is further reinforced by the creation of a single-instance mutex, LocalNVIDIAContainerMonitor_SingleInstance, and a local SQLite database, nvctr_sys.db, used for storing enrollment data and managing runtime states.

However, forensic analysis reveals the malware’s true nature. Compile artifacts, including a PE timestamp dated June 17, 2026, and Rust build paths containing a “funt” user reference, contradict its supposed origin as legitimate NVIDIA software, exposing it as a malicious remote access framework.

For more in-depth forensic data, tactical indicators of compromise, and detailed infrastructure maps, LabubaRAT: A Rust-Based Remote Access Tool Masquerading as NVIDIA Software, Blackpoint Cyber said in its technical write-up.

Modular Design and C2 Infrastructure

Unlike many malware variants that rely on hardcoded command-and-control (C2) infrastructure, LabubaRAT exhibits a flexible configuration mechanism. It accepts runtime parameters via command-line arguments or environment variables prefixed with ZM_, allowing operators to define organizational targets, groups, C2 servers, and API keys at launch. A Base64-encoded –b parameter bundles these values, with APG observing a deployment using the organization “luxespa,” group “rabbit,” and C2 server pipicka[.]xyz.

This adaptable design suggests that a single compiled binary can support multiple campaigns or clients, indicative of a Malware-as-a-Service (MaaS) model. Embedded help text further supports this theory, featuring example group names such as “sauna” and “vip-chair.” This approach, characterized by multiple evasion profiles and flexible parameters, mirrors how contemporary threat actors leverage compromised software to rapidly establish footholds within corporate networks.

LabubaRAT employs three distinct communication methods to ensure resilient access to its C2 infrastructure: standard HTTPS polling using Rust libraries like reqwest and tokio, WebView2-based communication that emulates browser traffic via embedded JavaScript, and DNS tunneling with Base32-encoded payload chunking. This redundancy provides operators with persistent access even if one channel is detected or blocked.

Upon successful enrollment, the implant conducts host profiling, gathering details on hardware specifications, installed browsers, antivirus products, and domain information, then awaits operator commands. Supported functionalities include arbitrary shell and PowerShell execution, JavaScript execution via Windows Script Host, screenshot capture using GDI APIs, file upload/download, archive manipulation, and SOCKS5 proxy relaying. Persistence at the user level is achieved through an HKCU Run key, configurable via –install and –uninstall flags. These robust execution capabilities enable operators to quickly enumerate high-value networks through malicious automation scripts.

The malware’s name originates from its C2 panel, which prominently displays a “LabubaPanel” title and a Labubu-themed favicon. By analyzing this panel structure, APG identified three additional C2 IP addresses hosted on German infrastructure, all becoming active since early June 2026, aligning with the sample’s compile date and suggesting a coordinated rollout.

What You Should Do

  • Actively hunt for unsigned binaries that claim to be NVIDIA software on your Windows systems.
  • Scrutinize Base64-encoded command-line arguments associated with autorun entries, as these are often used by LabubaRAT.
  • Search for the presence of nvctr_sys.db artifacts, which indicate LabubaRAT’s local storage.
  • Monitor outbound network traffic for browser-spoofed User-Agents combined with bearer authentication, WebView2 requests, or high-entropy DNS queries, which can signal LabubaRAT activity.
  • Implement robust endpoint detection and response (EDR) solutions to identify and block suspicious processes and network connections.
  • Regularly update operating systems, applications, and security software to patch known vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurity

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Chrome 150 Update Patches 15 Flaws, Two Critical Code Execution Vulnerabilities

Next Post

Critical Windows RDP Bugs Expose Sensitive Data, Patch Now

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
July 15, 2026
Chrome 150 Update Patches 15 Flaws, Two Critical Code Execution Vulnerabilities
July 15, 2026
Critical Flaw in EU Age Verification App Lets Attackers Bypass Checks
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us