LabubaRAT masquerades as NVIDIA software to control Windows hosts

A new Rust-based RAT called LabubaRAT disguises itself as NVIDIA software and supports multi-channel C2 communications.

CSBadmin
1 Min Read

Cybersecurity researchers at Blackpoint Cyber have flagged a previously undocumented Rust-based remote access trojan called LabubaRAT that masquerades as NVIDIA software to blend into target environments.

“LabubaRAT creates a reusable foothold for hands-on activity,” Blackpoint Cyber researchers said. “Once deployed, it can profile the host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system.”

The implant supports multiple communication methods including HTTPS, WebView2, and DNS tunneling, allowing attackers to maintain access even if one communication pathway is blocked. The attack chain begins with an executable named “nvidia-sysruntime.exe,” impersonating NVIDIA’s container runtime tooling.

Researchers found evidence suggesting LabubaRAT is offered under a malware-as-a-service model, making it accessible to threat actors regardless of technical sophistication. The Rust-based codebase provides anti-analysis benefits as Rust binaries have different memory layouts than traditional C++ malware.

Organizations should monitor for unexpected NVIDIA-named executables and implement application allowlisting to block unauthorized binaries from executing on their networks.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.