Cybersecurity researchers have identified a previously undocumented Rust based remote access trojan known as LabubaRAT that disguises itself as legitimate NVIDIA software to evade detection and establish persistent access to Windows systems. According to security researchers at Blackpoint Cyber, the malware is designed to provide attackers with extensive remote control over compromised devices by allowing them to profile systems, execute commands, transfer files, capture screenshots, and route network traffic through infected machines. The researchers believe there are indications that the malware may be offered as part of a Malware as a Service operation, enabling multiple threat actors to deploy it across different campaigns using the same underlying framework.
The attack begins with an executable file named “nvidia-sysruntime.exe,” which impersonates NVIDIA’s container runtime toolkit to appear legitimate. Unlike many malware families that rely on hard coded command and control infrastructure, LabubaRAT receives its configuration at launch through command line arguments. These parameters include details such as the remote server address, identified in the analyzed sample as “pipicka[.]xyz,” along with the communication polling interval used by the malware. Attackers can also provide all required settings as a single Base64 encoded argument, allowing the same compiled malware sample to be reused across different infrastructures, organizations, or attack campaigns without recompilation. Once launched, the configuration is stored locally in an SQLite database before the malware begins collecting detailed information about the compromised system. It inventories installed web browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave, while also checking for the presence of widely used security products such as Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, and Trend Micro. The malware further gathers system details including the hostname, available memory, processor model, and the status of Windows User Account Control, allowing attackers to better understand the environment and determine how to proceed based on the security solutions installed.
Blackpoint Cyber researchers explained that LabubaRAT combines several capabilities typically associated with advanced remote access tools into a single framework. Once active, the malware can execute operating system commands, PowerShell commands, and JavaScript, while also supporting screenshot capture, file uploads and downloads, archive management, and SOCKS5 proxy functionality. These features allow attackers to move files into and out of compromised systems, maintain remote access, and route network traffic through infected devices without relying on additional malware components or separate loaders. The researchers noted that the malware creates a reusable foothold that enables hands on activity by operators and supports multiple communication channels including HTTPS, WebView2, and DNS tunneling. By offering several communication methods, the malware can continue operating even if one communication channel is detected or blocked by security defenses, making it more resilient against disruption during an intrusion.
The malware derives its name from the “LabubaPanel” branding found within its command and control infrastructure, along with a Labubu themed favicon observed during the investigation. According to Blackpoint Cyber, the malware’s framework like design is one of its most significant characteristics because it allows operators to configure, enroll, and manage compromised systems across multiple deployments with minimal effort. Researchers said the malware combines runtime configuration, local state management, host profiling, multiple communication paths, and operator task execution into a complete remote access platform capable of maintaining long term access to Windows systems. Its flexible configuration model and broad range of capabilities demonstrate how modern malware continues to evolve toward reusable and scalable frameworks that can be adapted for different attack campaigns while remaining difficult to detect through traditional methods.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.