LabubaRAT malware infiltrates Windows systems while posing as NVIDIA software
LabubaRAT, a previously undocumented Rust-based remote access tool (RAT) masquerading as NVIDIA software that enables post-compromise operations on Windows systems, has been uncovered by Blackpoint Cyber.
According to researchers, LabubaRAT creates “a reusable foothold for hands-on activity.” Once deployed, it can profile the host, identify installed security tools, receive operator commands, transfer files, capture screenshots, and proxy network traffic through the affected system.
Blackpoint Cyber named the malware LabubaRAT after discovering a “LabubaPanel” title and a Labubu-themed favicon on its associated command-and-control (C2) infrastructure.
Configuration built for reuse
Rather than hardcoding its infrastructure into the binary, LabubaRAT receives its configuration at launch through command-line arguments or matching environment variables.
Operators can specify the command-and-control server, organization, group tag, and API key at runtime. Those values determine how the malware connects to its infrastructure and how frequently it checks in for new commands. Instead of supplying each parameter individually, operators can also package them into a single Base64-encoded configuration block that the malware decodes during execution.
“Because those values were provided at launch, the same compiled binary could be reused with different infrastructure, organizations, or campaign groupings instead of relying on a hardcoded server,” the researchers noted.
After enrolling with its command-and-control server, the malware stores local state in a SQLite database named nvctr_sys.db and supports communication over HTTPS polling, Microsoft Edge WebView2, and DNS tunneling. Multiple communication paths help maintain connectivity if one channel becomes unavailable.

The RAT supported HTTPS, WebView2, and DNS based communication paths (Source: Blackpoint Cyber)
A full remote access toolkit
Analysis of the sample revealed a comprehensive remote access capability set, including command execution, PowerShell and JavaScript execution, screenshot capture, file uploads and downloads, archive handling, and SOCKS5 proxy support.
The malware can also establish persistence by creating a Windows Run registry key, allowing it to launch automatically after a reboot.
“Those capabilities gave the operator enough control to interact with the host, move files in and out of the environment, route traffic through the system, and maintain access without relying on a separate loader or narrowly scoped follow-on tool,” they added.
Disguised as NVIDIA software
The entry point for the attack chain is an executable named nvidia-sysruntime.exe, an unsigned 64-bit binary that impersonates NVIDIA’s container runtime toolkit.
“Its version information reinforced the NVIDIA theme with references to NVIDIA Corporation, NVIDIA Container Runtime Monitor, and NVIDIA Container Toolkit, making the file look like NVIDIA software at a glance.”
Before receiving operator commands, LabubaRAT profiles the compromised host by checking for installed browsers such as Chrome, Firefox, Edge, and Brave, while also scanning for endpoint security products including Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Bitdefender, and several others through Windows registry uninstall keys.
The malware also collects the hostname, CPU and memory details, domain membership, and User Account Control (UAC) status to provide operators with an overview of the environment before additional actions are taken.
“LabubaRAT is more than a renamed binary with fake NVIDIA metadata. The sample combined runtime configuration, local state, host profiling, multiple communication paths, and operator tasking into a complete remote access tool. Its design allowed the same compiled agent to be pointed at different infrastructure, assigned to different groups, and managed through a panel-backed workflow without requiring a new build for each deployment,” researchers concluded.
The framework-like architecture suggests LabubaRAT was designed for reuse across multiple operations, although Blackpoint stopped short of attributing it to a malware-as-a-service offering.
The company has shared indicators of compromise to help defenders identify and detect LabubaRAT activity.