LabubaRAT Poses as NVIDIA Software to Control Windows Hosts

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Blackpoint Cyber researchers Sam Decker and Nevan Beal disclosed LabubaRAT, a previously undocumented Rust-based RAT that masquerades as NVIDIA software to blend into target environments.
- LabubaRAT enters via an executable named "nvidia-sysruntime.exe," which impersonates NVIDIA's container runtime toolkit and accepts its C2 configuration — including the server "pipicka[.]xyz" and polling interval — through command-line arguments or a single Base64-encoded argument.
- LabubaRAT communicates via HTTPS, WebView2, and DNS tunneling, letting attackers maintain access to a compromised host even if one channel is detected and blocked.
- LabubaRAT inventories installed browsers and security products — checking for Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, and Trend Micro — and collects hostname, RAM, CPU model, and UAC state.
- LabubaRAT supports command execution, PowerShell and JavaScript execution, screenshot capture, file upload and download, archive handling, and SOCKS5 proxying, giving operators hands-on control without a separate loader.
- There are signs LabubaRAT is being offered under a malware-as-a-service model, with its C2 infrastructure branded "LabubaPanel" and identified by a Labubu-themed favicon.
Why it matters: By masquerading as a legitimate NVIDIA container runtime binary, LabubaRAT raises the bar for casual detection by IT staff, while its runtime-configurable C2 design lets one compiled binary be redeployed across campaigns. The discovery signals that Rust-based RATs are maturing into full remote-access frameworks — not just loaders — and a MaaS distribution model would lower the skill floor for deploying them against Windows environments.




