Fake NVIDIA Software Distributes New LabubaRAT Malware to Hijack Windows PCs
- Malware Identified: Blackpoint Cyber discovered LabubaRAT, a Rust-based remote access tool masquerading as NVIDIA software.
- Multiple Channels: The implant communicates through HTTPS polling, WebView2, and DNS tunneling.
- MaaS Signals: The RAT is being offered as malware-as-a-service, with a full remote access toolkit and persistence.
A remote access tool tracked as LabubaRAT disguises itself as NVIDIA software to blend into Windows environments. Cybersecurity researchers say it shows signs of being offered as a malware-as-a-service (MaaS) product to other attackers.
Blackpoint Cyber uncovered the previously undocumented Rust-based implant in a July 14, 2026, report. Its command-and-control (C2) server, pipicka[.]xyz, exposed a LabubaPanel title and a Labubu-themed favicon, which is where APG derived the LabubaRAT tracking name.
NVIDIA Masquerade Conceals a Rust Implant
The sample, nvidia-sysruntime.exe, is an unsigned 64-bit Windows GUI executable compiled in Rust. It carried references to NVIDIA Corporation, NVIDIA Container Runtime Monitor, and NVIDIA Container Toolkit to reinforce the disguise, Blackpoint Cyber's Adversary Pursuit Group (APG) has reported.
The implant profiled the host to identify installed web browsers and security products, including Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, Trend Micro, and others.
Configurable Access With Multiple Communication Paths
The RAT let operators define organization, group, server, and key values at launch rather than hardcoding C2 details into the binary, allowing reuse across different campaigns and targets.
The implant supported three communication methods, giving operators more than one path to maintain remote access if one channel was detected and blocked:
- standard HTTPS polling with bearer authentication,
- WebView2-based communication,
- DNS tunneling.
Full Remote Access Capabilities and Persistence
"LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers said, adding that it can "profile the host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system."
Recovered functionality showed a complete remote access capability set, including:
- command execution,
- PowerShell execution,
- JavaScript execution,
- screenshot capture,
- file upload and download,
- archive handling,
- SOCKS5 proxy support,
- optional user level persistence through HKCU Run.
Last month, Kaspersky reported the Argamal RAT targeted Hentai gamers via trojanized games, and WeedHack malware infected 116,000+ Minecraft systems via fake mods. In April, researchers discovered a novel, advanced MaaS platform for Android used in phishing campaigns that impersonate banks.







