Published on July 15, 2026
LabubaRAT Rust Malware Masquerades as NVIDIA Software to Backdoor Windows Systems
Severity
Medium
A newly identified Rust-based Remote Access Trojan (RAT) named LabubaRAT has been discovered targeting Windows systems. The malware disguises itself as a legitimate NVIDIA component by using NVIDIA-related metadata, debug artifacts, file names, mutexes, and local database names to avoid raising suspicion in environments where NVIDIA software is commonly installed. Unlike traditional malware that contains hardcoded infrastructure, LabubaRAT is designed as a reusable malware framework. Threat actors can configure deployment parameters such as the command-and-control (C2) server, organization identifier, API key, polling interval, DNS settings, and device information at runtime, allowing the same binary to be reused across multiple campaigns.
The malware profiles compromised hosts by collecting system information, including the hostname, CPU model, installed memory, IP address, domain membership, User Account Control (UAC) status, installed browsers, and security software. It also supports a wide range of malicious capabilities, including remote command execution, PowerShell and JavaScript execution, screenshot capture, file upload/download, SOCKS5 proxy functionality, DNS tunneling, and persistence through the HKCU\Run registry key.
How?
LabubaRAT masquerades as an NVIDIA application by using artifacts such as:
- File name: nvidia-sysruntime.exe
- Mutex: Local\NVIDIAContainerMonitor_SingleInstance
- Local SQLite database: nvctr_sys.db
- NVIDIA-themed version information and debug paths.
To conceal its configuration, the malware accepts runtime parameters via command-line arguments or environment variables prefixed with ZM_. It also supports Base64-encoded parameters (-b option), making C2 configuration more difficult to identify from startup commands.
For command-and-control communication, LabubaRAT supports multiple channels, allowing operators to maintain connectivity even if one method is blocked:
- HTTPS polling
- Microsoft WebView2-based communication
- DNS tunneling
During execution, the malware first gathers detailed information about the infected endpoint and identifies installed security products such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Trend Micro, Bitdefender, ESET, Kaspersky, McAfee, Carbon Black, Malwarebytes, and Symantec. This reconnaissance enables attackers to tailor subsequent activities based on the victim’s security posture.
The malware stores operational information locally within nvctr_sys.db and establishes persistence by creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, allowing it to automatically execute after user logon.
Recommendations
Organizations should investigate suspicious NVIDIA-related binaries, especially unsigned executables such as nvidia-sysruntime.exe, and verify their legitimacy before allowing execution. Monitoring should also be performed for abnormal persistence mechanisms, including unauthorized entries created under the HKCU\Run registry key.
Security teams should monitor endpoint and network activity for suspicious behaviors associated with LabubaRAT, such as unusual PowerShell or JavaScript execution, unauthorized file transfers, abnormal DNS queries, and unexpected outbound connections to unknown infrastructure. Threat hunting activities should include searching for known indicators of compromise (IOCs), including file hashes, mutex names, database artifacts, and identified C2 domains/IP addresses.
Organizations are also advised to maintain updated EDR solutions, security monitoring rules, and threat intelligence feeds to improve detection capabilities against emerging Rust-based malware and remote access threats.
IOCs
| Type | Indicator | Context |
| File name | nvidia-sysruntime.exe | Analyzed Windows executable |
| SHA-256 | b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328 | Analyzed LabubaRAT sample |
| MD5 | d8bf355a198fb5db3ea65cfdfcdfbd19 | Analyzed LabubaRAT sample |
| PDB path | nvidia_container.pdb | Debug path artifact |
| Build path username | C:\Users\funt\.cargo\registry\… | Rust build path artifact |
| Mutex | Local\NVIDIAContainerMonitor_SingleInstance | Single instance mutex |
| Local database | nvctr_sys.db | SQLite local state database |
| C2 URL | hxxps://pipicka[.]xyz | Observed configured server |
| IP Address | 191.44.109[.]130 | Identified related infrastructure |
| IP Address | 87.120.108[.]18 | Identified related infrastructure |
| IP Address | 168.222.254[.]204 | Identified related infrastructure |
Source
