Published on July 15, 2026

LabubaRAT Rust Malware Masquerades as NVIDIA Software to Backdoor Windows Systems


Severity

Medium

Detail

A newly identified Rust-based Remote Access Trojan (RAT) named LabubaRAT has been discovered targeting Windows systems. The malware disguises itself as a legitimate NVIDIA component by using NVIDIA-related metadata, debug artifacts, file names, mutexes, and local database names to avoid raising suspicion in environments where NVIDIA software is commonly installed. Unlike traditional malware that contains hardcoded infrastructure, LabubaRAT is designed as a reusable malware framework. Threat actors can configure deployment parameters such as the command-and-control (C2) server, organization identifier, API key, polling interval, DNS settings, and device information at runtime, allowing the same binary to be reused across multiple campaigns.

The malware profiles compromised hosts by collecting system information, including the hostname, CPU model, installed memory, IP address, domain membership, User Account Control (UAC) status, installed browsers, and security software. It also supports a wide range of malicious capabilities, including remote command execution, PowerShell and JavaScript execution, screenshot capture, file upload/download, SOCKS5 proxy functionality, DNS tunneling, and persistence through the HKCU\Run registry key.

How?

LabubaRAT masquerades as an NVIDIA application by using artifacts such as:

  • File name: nvidia-sysruntime.exe
  • Mutex: Local\NVIDIAContainerMonitor_SingleInstance
  • Local SQLite database: nvctr_sys.db
  • NVIDIA-themed version information and debug paths.

To conceal its configuration, the malware accepts runtime parameters via command-line arguments or environment variables prefixed with ZM_. It also supports Base64-encoded parameters (-b option), making C2 configuration more difficult to identify from startup commands.

For command-and-control communication, LabubaRAT supports multiple channels, allowing operators to maintain connectivity even if one method is blocked:

  • HTTPS polling
  • Microsoft WebView2-based communication
  • DNS tunneling

During execution, the malware first gathers detailed information about the infected endpoint and identifies installed security products such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Trend Micro, Bitdefender, ESET, Kaspersky, McAfee, Carbon Black, Malwarebytes, and Symantec. This reconnaissance enables attackers to tailor subsequent activities based on the victim’s security posture.

The malware stores operational information locally within nvctr_sys.db and establishes persistence by creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, allowing it to automatically execute after user logon.

Recommendations

Organizations should investigate suspicious NVIDIA-related binaries, especially unsigned executables such as nvidia-sysruntime.exe, and verify their legitimacy before allowing execution. Monitoring should also be performed for abnormal persistence mechanisms, including unauthorized entries created under the HKCU\Run registry key.

Security teams should monitor endpoint and network activity for suspicious behaviors associated with LabubaRAT, such as unusual PowerShell or JavaScript execution, unauthorized file transfers, abnormal DNS queries, and unexpected outbound connections to unknown infrastructure. Threat hunting activities should include searching for known indicators of compromise (IOCs), including file hashes, mutex names, database artifacts, and identified C2 domains/IP addresses.

Organizations are also advised to maintain updated EDR solutions, security monitoring rules, and threat intelligence feeds to improve detection capabilities against emerging Rust-based malware and remote access threats.

IOCs

TypeIndicatorContext
File name nvidia-sysruntime.exe Analyzed Windows executable 
SHA-256 b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328 Analyzed LabubaRAT sample 
MD5 d8bf355a198fb5db3ea65cfdfcdfbd19 Analyzed LabubaRAT sample 
PDB path nvidia_container.pdb Debug path artifact 
Build path username C:\Users\funt\.cargo\registry\… Rust build path artifact 
Mutex Local\NVIDIAContainerMonitor_SingleInstance Single instance mutex 
Local database nvctr_sys.db SQLite local state database 
C2 URL hxxps://pipicka[.]xyz Observed configured server 
IP Address 191.44.109[.]130 Identified related infrastructure 
IP Address 87.120.108[.]18 Identified related infrastructure 
IP Address 168.222.254[.]204 Identified related infrastructure 

Source

https://gbhackers.com/labubarat-rust-malware/