A previously undocumented remote access tool dubbed LabubaRAT, a Rust-based implant that masquerades as NVIDIA software to compromise Windows systems.
The malware uncovered by Blackpoint Cyber’s Adversary Pursuit Group (APG) is distributed as nvidia-sysruntime.exe uses fake vendor metadata and runtime artifacts to blend into legitimate environments while granting operators full hands-on control over infected hosts.
The unsigned 64-bit executable presents itself as NVIDIA’s Container Runtime Monitor, complete with spoofed version information referencing NVIDIA Corporation and the NVIDIA Container Toolkit.
It reinforces this identity through a single-instance mutex named Local\NVIDIAContainerMonitor_SingleInstance and a local SQLite database, nvctr_sys.db, that stores enrollment data and runtime state.
Despite the NVIDIA branding, compile artifacts including a PE timestamp of June 17, 2026, and Rust build paths referencing a “funt” user—expose its true nature as a remote access framework rather than legitimate software.
NVIDIA themed metadata and Rust artifacts exposed the sample’s masquerade. (Image Source: Blackpointcyber)
Detailed forensic data, tactical indicators of compromise, and full infrastructure maps are available in the technical write-up for LabubaRAT: A Rust-Based Remote Access Tool Masquerading as NVIDIA Software, Blackpoint Cyber said.
Rust-Based LabubaRAT
Unlike malware with hardcoded command-and-control (C2) infrastructure, LabubaRAT accepts runtime configuration via command-line arguments or matching ZM_-prefixed environment variables, letting operators define the organization, group, server, and API key at launch.
A Base64-encoded –b parameter packs these values together, which APG decoded to reveal an observed deployment using the organization “luxespa,” group “rabbit,” and C2 server pipicka[.]xyz.
This design lets a single compiled binary serve multiple campaigns or customers, a Malware-as-a-Service-style structure further suggested by example group names like “sauna” and “vip-chair” found in the embedded help text.
The weaponization of multiple evasion profiles and flexible parameters mirrors how modern actors use compromised software packages to establish rapid footprints within corporate pipelines.
The –b value decoded into the runtime configuration used by the agent. (Image Source: Blackpointcyber)
Configuration FieldCLI Argument FlagEnvironment Variable VectorOperational IntentOrganization Target–orgZM_ORGAssigns the targeted enterprise workspaceAuthentication Token–keyZM_KEYPasses the unique API key for C2 authorizationC2 Destination–serverZM_SERVEREstablishes the target remote server domainCampaign Group–groupZM_GROUPTracks specific campaign tiers (e.g., “rabbit”)
LabubaRAT supports three distinct methods to reach its C2 infrastructure: standard HTTPS polling using Rust libraries like reqwest and tokio, WebView2-based communication that mimics browser traffic through embedded JavaScript, and DNS tunneling with Base32-encoded payload chunking. This redundancy gives operators resilient access even if one channel is blocked or detected.
Once enrolled, the implant profiles the host—collecting hardware specs, installed browsers, antivirus products, and domain information—before awaiting operator tasking.
Supported commands include shell and PowerShell execution, JavaScript execution via Windows Script Host, screenshot capture through GDI APIs, file upload/download, archive handling, and SOCKS5 proxy relaying.
User-level persistence is achieved through an HKCU Run key, configurable via –install and –uninstall flags. Operators routinely turn to these robust execution flows, pairing them with malicious automation scripts to enumerate high-value networks in minutes.
The SQLite schema defined local storage for configuration, device state, and event tracking. (Image Source: Blackpointcyber)
The malware’s name derives from its C2 panel, which displayed a “LabubaPanel” title and a Labubu-themed favicon. Pivoting from this panel structure, APG identified three additional C2 IP addresses hosted on German infrastructure, all appearing since early June 2026, a timing that aligns with the sample’s compile date and suggests a coordinated rollout.
Blackpoint recommends security teams hunt for unsigned binaries claiming NVIDIA identity, scrutinize Base64-encoded command-line arguments tied to autorun entries, and search for nvctr_sys.db artifacts.
Monitoring outbound traffic for browser-spoofed User-Agents paired with bearer authentication, WebView2 requests, or high-entropy DNS queries can also help flag LabubaRAT activity before operators establish full control.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.
The post New Rust-Based LabubaRAT Impersonates NVIDIA Software to Hijack Windows Systems appeared first on Cyber Security News.



