New LabubaRAT Malware Poses as NVIDIA Software to Control Windows PCs
Security researchers have discovered LabubaRAT, a previously undocumented remote access tool that impersonates NVIDIA software while giving attackers extensive control over Windows computers.
According to a technical analysis from Blackpoint Cyber, the Rust-based malware can execute commands, capture screenshots, transfer files, inspect security software, and route network traffic through an infected PC.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The researchers analyzed an unsigned 64-bit executable named nvidia-sysruntime.exe. It claimed to be an โNVIDIA Container Runtime Monitorโ and included fake references to NVIDIA Corporation and the NVIDIA Container Toolkit. However, the file does not belong to NVIDIA.
LabubaRAT uses NVIDIA branding to avoid suspicion
LabubaRAT extends its disguise beyond the executableโs name. It creates a mutex called Local\NVIDIAContainerMonitor_SingleInstance, which prevents multiple copies from running simultaneously while maintaining the NVIDIA theme.
The malware also creates a local SQLite database named nvctr_sys.db. This database stores configuration details, enrollment information, device state, and operational events between sessions.
Several development artifacts exposed the fileโs real purpose. Blackpoint found Rust build paths containing the username โfunt,โ a debug path named nvidia_container.pdb, and a Portable Executable compile timestamp of June 17, 2026.
| Artifact | Observed value | Purpose |
|---|---|---|
| Executable | nvidia-sysruntime.exe | Impersonates NVIDIA software |
| Mutex | Local\NVIDIAContainerMonitor_SingleInstance | Stops duplicate instances |
| Local database | nvctr_sys.db | Stores configuration and device state |
| PDB path | nvidia_container.pdb | Continues the NVIDIA disguise |
| Observed C2 domain | pipicka[.]xyz | Receives compromised host connections |
Operators can configure the malware at launch
LabubaRAT does not contain a fixed command-and-control server. Instead, operators can supply the server address, organization, group, API key, device name, DNS settings, and polling intervals through command-line arguments or environment variables beginning with ZM_.
The malware also accepts a Base64-encoded parameter called -b. This allows an operator to combine several configuration values into one encoded argument, including the C2 server and authentication key.
In the deployment examined by researchers, the decoded configuration contained the organization name โluxespa,โ the group โrabbit,โ and the server pipicka[.]xyz. Since the configuration arrives at launch, operators can reuse the same executable across different campaigns and infrastructure.
| Configuration | Command-line option | Environment variable |
|---|---|---|
| Organization | –org | ZM_ORG |
| API key | –key | ZM_KEY |
| C2 server | –server | ZM_SERVER |
| Campaign group | –group | ZM_GROUP |
Three communication methods make LabubaRAT resilient
LabubaRAT supports HTTPS polling, WebView2 communication, and DNS tunneling. These alternative channels could help an attacker retain access if defenders detect or block one communication method.
The HTTPS method uses Rust libraries such as reqwest and tokio. Its WebView2 mode runs embedded JavaScript and makes traffic resemble activity from a browser component.

For DNS tunneling, LabubaRAT encodes data with Base32 and divides it into chunks that can travel through DNS queries. Defenders may spot this activity by looking for unusually long or high-entropy DNS requests from affected endpoints.
- HTTPS polling for conventional command-and-control traffic
- WebView2 requests designed to resemble browser communication
- DNS tunneling using Base32-encoded data
What attackers can do with LabubaRAT
After enrolling a computer, the malware profiles the system before waiting for instructions. It collects the hostname, CPU model, installed memory, IP address, domain membership, User Account Control status, browsers, and installed security products.
Its browser checks cover Chrome, Firefox, Microsoft Edge, and Brave. It also searches for products from Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, Trend Micro, and other security vendors.
This inventory gives the operator information that could influence later actions. For example, an attacker could adjust commands or file activity after identifying the endpointโs security controls.
- Run shell and PowerShell commands
- Execute JavaScript through Windows Script Host
- Capture screenshots using Windows GDI functions
- Upload and download files
- Create and extract archives
- Start or stop a SOCKS5 proxy
- Maintain user-level persistence
LabubaRAT can persist through the Windows Registry
The malware supports -install and -uninstall options for managing persistence. Its installation function creates an entry under the current userโs Windows Run registry key, causing the implant to launch when that user signs in.
This persistence method operates at user level and does not necessarily require administrator privileges. The encoded -b argument can store the required server and enrollment settings inside the autorun command.

The SOCKS5 feature also allows an attacker to relay traffic through the compromised computer. This can turn the victimโs device into a proxy for reaching other systems or concealing malicious network activity.
Researchers traced the name to LabubaPanel
Blackpoint named the malware after discovering a โLabubaPanelโ title and a Labubu-themed favicon on its command-and-control infrastructure. The researchers also identified three associated IP addresses that appeared online in June 2026.
The framework supports organizations, API keys, campaign groups, and interchangeable server settings. These features suggest that its developers designed it for reuse across several deployments, although researchers have not confirmed that criminals currently sell or rent it as a service.
The Blackpoint Cyber report lists the following infrastructure indicators:
- 191.44.109[.]130
- 87.120.108[.]18
- 168.222.254[.]204
- pipicka[.]xyz
How to detect and respond to LabubaRAT
Security teams should investigate unsigned files that claim to come from NVIDIA, particularly nvidia-sysruntime.exe files stored outside expected software locations. Genuine container components should correspond with the packages and utilities documented in NVIDIAโs official Container Toolkit overview.
Administrators should also inspect user-level Run keys for unknown programs carrying long Base64-like arguments. The presence of nvctr_sys.db, its associated WAL or SHM files, or the known mutex provides additional evidence of a possible infection.
If defenders find these indicators, they should isolate the computer from the network, preserve relevant logs, and begin an incident-response investigation. Since LabubaRAT supports remote commands, file transfers, screenshots, and proxying, responders should treat an affected machine as fully compromised.
- Search endpoints for nvidia-sysruntime.exe and nvctr_sys.db
- Check file signatures before trusting NVIDIA-branded executables
- Review HKCU Run entries for encoded arguments
- Monitor unusual child processes launching cmd.exe, powershell.exe, wscript.exe, or cscript.exe
- Inspect outbound WebView2 traffic and high-entropy DNS queries
- Reset credentials used on confirmed infected computers
- Rebuild affected systems when investigators cannot establish their integrity
FAQ
LabubaRAT is a Rust-based remote access tool for Windows that disguises itself as NVIDIA software. It can execute commands, transfer files, capture screenshots, profile a computer, and proxy network traffic.
No. The analyzed file used fake NVIDIA metadata and naming but did not belong to NVIDIA. It was also unsigned and behaved as a remote access implant.
Researchers analyzed LabubaRAT under the file name nvidia-sysruntime.exe. Attackers could potentially rename the executable in other deployments.
LabubaRAT supports standard HTTPS polling, WebView2-based communication, and DNS tunneling. These options give operators several ways to communicate with an infected computer.
Defenders should search for nvidia-sysruntime.exe, nvctr_sys.db, the Local\NVIDIAContainerMonitor_SingleInstance mutex, suspicious HKCU Run entries, encoded command-line arguments, and unusual WebView2 or DNS traffic.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages