Fake NVIDIA Software Distributes New LabubaRAT Malware to Hijack Windows PCs

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Malware Identified: Blackpoint Cyber discovered LabubaRAT, a Rust-based remote access tool masquerading as NVIDIA software.
  • Multiple Channels: The implant communicates through HTTPS polling, WebView2, and DNS tunneling.
  • MaaS Signals: The RAT is being offered as malware-as-a-service, with a full remote access toolkit and persistence.

A remote access tool tracked as LabubaRAT disguises itself as NVIDIA software to blend into Windows environments. Cybersecurity researchers say it shows signs of being offered as a malware-as-a-service (MaaS) product to other attackers.

Blackpoint Cyber uncovered the previously undocumented Rust-based implant in a July 14, 2026, report. Its command-and-control (C2) server, pipicka[.]xyz, exposed a LabubaPanel title and a Labubu-themed favicon, which is where APG derived the LabubaRAT tracking name.

NVIDIA Masquerade Conceals a Rust Implant

The sample, nvidia-sysruntime.exe, is an unsigned 64-bit Windows GUI executable compiled in Rust. It carried references to NVIDIA Corporation, NVIDIA Container Runtime Monitor, and NVIDIA Container Toolkit to reinforce the disguise, Blackpoint Cyber's Adversary Pursuit Group (APG) has reported

NVIDIA themed metadata and Rust artifacts exposed the sample’s masquerade | Source: Blackpoint Cyber
NVIDIA themed metadata and Rust artifacts exposed the sample’s masquerade | Source: Blackpoint Cyber

The implant profiled the host to identify installed web browsers and security products, including Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, Trend Micro, and others.

Configurable Access With Multiple Communication Paths

The RAT let operators define organization, group, server, and key values at launch rather than hardcoding C2 details into the binary, allowing reuse across different campaigns and targets. 

The RAT supported HTTPS, WebView2, and DNS based communication paths | Source: Blackpoint Cyber
The RAT supported HTTPS, WebView2, and DNS based communication paths | Source: Blackpoint Cyber

The implant supported three communication methods, giving operators more than one path to maintain remote access if one channel was detected and blocked: 

Full Remote Access Capabilities and Persistence

"LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers said, adding that it can "profile the host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system." 

Recovered functionality showed a complete remote access capability set, including:

Last month, Kaspersky reported the Argamal RAT targeted Hentai gamers via trojanized games, and WeedHack malware infected 116,000+ Minecraft systems via fake mods. In April, researchers discovered a novel, advanced MaaS platform for Android used in phishing campaigns that impersonate banks.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: