Researchers uncovered LabubaRAT, a Rust-based RAT posing as NVIDIA software to compromise Windows systems and evade detection.
Cybersecurity researchers have uncovered a previously undocumented remote access trojan (RAT) dubbed LabubaRAT that disguises itself as legitimate NVIDIA software to blend into Windows environments while giving attackers extensive control over compromised systems.
The malware was disclosed by researchers at Blackpoint Cyber on July 14, 2026, who described LabubaRAT as a Rust-based implant designed to establish a persistent foothold after an initial compromise. Rather than relying on hardcoded infrastructure, the malware accepts its command-and-control (C2) configuration at launch, allowing threat actors to reuse the same binary across multiple campaigns.
According to the researchers, the malware is distributed as an unsigned executable named nvidia-sysruntime.exe, which impersonates NVIDIA’s Container Runtime Toolkit. It also contains version information referencing NVIDIA Corporation, NVIDIA Container Runtime Monitor, and NVIDIA Container Toolkit, making the file appear legitimate during a cursory inspection.
Once executed, LabubaRAT stores its runtime configuration in a local SQLite database before profiling the infected system. Researchers found that it checks for the presence of at least 12 endpoint security products, enabling operators to better understand the victim’s defensive environment before carrying out additional activity.
The malware supports a broad range of post-compromise capabilities. Operators can execute shell commands, upload and download files, capture screenshots, launch a SOCKS5 proxy, and route communications over HTTPS, WebView2, or DNS tunneling. Blackpoint Cyber said these features make the malware well suited for long-term interactive intrusions rather than opportunistic attacks.
Researchers noted that separating the malware’s configuration from the compiled binary gives attackers additional flexibility. Infrastructure such as C2 servers and polling intervals can be changed without rebuilding the malware, allowing the same executable to be deployed in different environments with minimal modification.
Blackpoint Cyber has not attributed LabubaRAT to a specific threat actor, and there is currently no evidence linking the malware to a known ransomware group or nation-state operation. However, its capabilities suggest it could be used in a wide range of financially motivated or espionage-related attacks.
Security teams are advised to monitor for suspicious executions of nvidia-sysruntime.exe, investigate unexpected outbound connections, and verify the authenticity of software claiming to originate from NVIDIA. Behavioral monitoring and endpoint detection tools may help identify malicious activity even when malware attempts to masquerade as trusted software.
Related articles :
__Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__