Back to Feed
MalwareJul 14, 2026

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

New Rust-based RAT, LabubaRAT, impersonates NVIDIA software to gain Windows host access.

Summary

A new remote access trojan (RAT) named LabubaRAT, written in Rust, has been discovered impersonating NVIDIA software to infiltrate Windows systems. It functions as a malware-as-a-service, allowing attackers to profile hosts, execute commands, exfiltrate data, and proxy traffic. LabubaRAT employs multiple communication methods, including HTTPS, WebView2, and DNS tunneling, to maintain persistence and evade detection.

Full text

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts Ravie LakshmananJul 14, 2026Malware / Threat Intelligence Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system." The implant also supports multiple communication methods, including HTTPS, WebView2, and DNS tunneling, allowing attackers to maintain access to compromised hosts even if one pathway is detected and closed off. There are some signs that LabubuRAT is being offered under a malware-as-a-service (MaaS) model. The starting point of the attack chain is an executable named "nvidia-sysruntime.exe," which impersonates NVIDIA's container runtime toolkit. The sample, instead of hard-coding its command-and-control (C2) information, accepts a runtime configuration through command-line arguments. This allows the campaign operator to define various parameters that are key to establishing communication with the remote server, including the server details ("pipicka[.]xyz") and the polling interval used by the implant. Alternatively, the attacker can also supply these individual values in the form of one single Base64-encoded argument. "Because those values were provided at launch, the same compiled binary could be reused with different infrastructure, organizations, or campaign groupings instead of relying on a hard-coded server," the researchers noted. The configuration is then stored in a local SQLite database, following which it undertakes discovery operations to inventory the list of web browsers and security products installed on the host, specifically checking for the presence of Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, and Trend Micro. In addition, it gathers the hostname, RAM size, CPU model, and the Windows User Account Control (UAC) state as a way to prepare the environment for the next stage, as some RAT functionality may be dictated by the security tools present on the system. Once launched, LabubaRAT supports a wide range of functions, such as command execution, PowerShell execution, JavaScript execution, screenshot capture, file upload and download, archive handling, and SOCKS5 proxy support. "Those capabilities gave the operator enough control to interact with the host, move files in and out of the environment, route traffic through the system, and maintain access without relying on a separate loader or narrowly scoped follow-on tool," Blackpoint Cyber said. The malware is a reference to the "LabubaPanel" title associated with its C2 infrastructure and a Labubu-themed favicon. "The sample combined runtime configuration, local state, host profiling, multiple communication paths, and operator tasking into a complete remote access tool," Blackpoint Cyber said. "The malware gave an operator a practical way to enroll hosts, understand the environment around each agent, execute commands, move files, capture screenshots, proxy traffic, and maintain user level autostart." "The LabubaPanel branding provided the clearest external naming clue, but the more important finding is the framework-like structure behind it: a Rust based RAT built to be configured, enrolled, and operated across multiple deployments." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Command and Control, Cybercrime, endpoint security, Malware, Malware-as-a-Service, network security, Remote Access Trojan, Threat Intelligence, Windows Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Indicators of Compromise

  • domain — pipicka[.]xyz
  • malware — LabubaRAT

Entities

nvidia-sysruntime.exe (product)NVIDIA (vendor)Rust (technology)Blackpoint Cyber (vendor)Google Chrome (product)Mozilla Firefox (product)