LabubaRAT: New Rust-Based RAT Masquerades as NVIDIA Software
A previously undocumented Rust-based Remote Access Trojan (RAT), dubbed **LabubaRAT**, has been identified by cybersecurity researchers. This sophisticated malware masquerades as **NVIDIA** software, aiming to blend seamlessly into target environments while offering attackers extensive control and persistent access.

Cybersecurity researchers at **Blackpoint Cyber** have uncovered a new threat: **LabubaRAT**. This Rust-based remote access trojan is designed to establish a persistent foothold for attackers, enabling hands-on activity within compromised systems.
According to **Blackpoint Cyber** researchers **Sam Decker** and **Nevan Beal**, **LabubaRAT** can profile hosts, identify security tools, execute operator commands, manage files, capture screenshots, and proxy traffic through the affected system. Its multi-channel communication capabilities, including HTTPS, **WebView2**, and DNS tunneling, ensure sustained access even if one channel is detected and blocked. There are also indications that **LabubaRAT** is being offered under a Malware-as-a-Service (MaaS) model.
## Initial Compromise and Configuration
The attack typically begins with an executable named "nvidia-sysruntime.exe," which mimics **NVIDIA**'s container runtime toolkit. Unlike many malware strains, **LabubaRAT** does not hard-code its command-and-control (C2) information. Instead, it accepts runtime configurations via command-line arguments.
This flexible approach allows operators to define critical parameters, such as server details (e.g., "pipicka[.]xyz") and polling intervals, at launch. These values can also be supplied as a single Base64-encoded argument. This dynamic configuration enables the same compiled binary to be reused across different infrastructure, organizations, or campaign groupings, enhancing its versatility and evading static detections.
## Host Profiling and Evasion
Upon launch, **LabubaRAT** stores its configuration in a local **SQLite** database. It then initiates discovery operations to inventory web browsers and security products installed on the host. Specifically, it checks for the presence of **Google Chrome**, **Mozilla Firefox**, **Microsoft Edge**, **Brave**, **Microsoft Defender**, **CrowdStrike**, **SentinelOne**, **Carbon Black**, **Sophos**, **Malwarebytes**, **Bitdefender**, **ESET**, **Kaspersky**, **McAfee**, **Symantec**, and **Trend Micro**.
Additionally, it gathers crucial system information, including hostname, RAM size, CPU model, and the **Windows User Account Control (UAC)** state. This profiling helps prepare the environment for subsequent stages, as some RAT functionalities may be adapted based on the security tools identified.
## Extensive Capabilities
Once active, **LabubaRAT** offers a broad spectrum of functionalities, providing attackers with significant control over the compromised system. These capabilities include:
* Command execution
* **PowerShell** execution
* **JavaScript** execution
* Screenshot capture
* File upload and download
* Archive handling
* **SOCKS5** proxy support
**Blackpoint Cyber** highlights that these features provide operators with sufficient control to interact with the host, move files, route traffic, and maintain access without relying on separate loaders or narrowly scoped follow-on tools.
## Branding and Framework Structure
The malware's name, **LabubaRAT**, is derived from the "LabubaPanel" title associated with its C2 infrastructure and a distinctive Labubu-themed favicon.
Researchers emphasize that while the branding provides an external clue, the more significant finding is the underlying framework-like structure. **LabubaRAT** is a Rust-based RAT built for configurability, enrollment, and operation across multiple deployments, making it a robust and adaptable tool for malicious actors.