LabubaRAT Poses as NVIDIA Software to Hijack Windows Hosts

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Blackpoint Cyber researchers Sam Decker and Nevan Beal flagged LabubaRAT, a previously undocumented Rust-based RAT that masquerades as NVIDIA's container runtime toolkit via an executable named "nvidia-sysruntime.exe"
- LabubaRAT accepts runtime configuration through command-line arguments or a single Base64-encoded value, allowing the same compiled binary to be redeployed against different infrastructure, organizations, or campaigns without recompilation
- The implant communicates via HTTPS, WebView2, and DNS tunneling, giving operators redundant pathways to maintain access even if one channel is detected and closed off
- LabubaRAT profiles hosts by inventorying installed browsers (Chrome, Firefox, Edge, Brave) and 15 security products including Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, and Trend Micro
- The malware stores its configuration in a local SQLite database and supports command execution, PowerShell and JavaScript execution, screenshot capture, file upload/download, archive handling, and SOCKS5 proxy support
- Blackpoint Cyber found signs LabubaRAT is being offered under a malware-as-a-service model, with C2 infrastructure branded "LabubaPanel" hosted at "pipicka[.]xyz" and identified by a Labubu-themed favicon
Why it matters: The trojan's runtime-configurable design — where C2 details are supplied at launch instead of hard-coded — lets a single operator rapidly enroll hosts across multiple organizations without rebuilding the implant, amplifying the MaaS threat. Its deliberate impersonation of a trusted NVIDIA process and explicit fingerprinting of 15 major security products signal a builder who has mapped enterprise defenses before deploying.




