"LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal wrote in an analysis published today. Once deployed, their write-up says, the tool can profile a host, identify security tools, receive operator commands, move files, capture screenshots, and proxy traffic through the affected system.
nvidia-sysruntime.exe and runtime configuration that enables reuse
The campaign begins with an executable named nvidia-sysruntime.exe that impersonates NVIDIA's container runtime toolkit. Rather than embedding its command-and-control (C2) information into the binary, the sample accepts a runtime configuration through command-line arguments. Operators can supply individual parameters such as server details (the researchers observed pipicka[.]xyz) and a polling interval, or pass a single Base64-encoded argument containing the same values.
Blackpoint Cyber notes that because configuration is provided at launch, "the same compiled binary could be reused with different infrastructure, organizations, or campaign groupings instead of relying on a hard-coded server." The runtime settings are then persisted in a local SQLite database on the affected host.
Host profiling, persistence, and operator functions
After enrollment the implant performs discovery to build a profile of the host. It inventories installed web browsers and security products — explicitly checking for Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, Malwarebytes, Bitdefender, ESET, Kaspersky, McAfee, Symantec, and Trend Micro — and gathers the hostname, RAM size, CPU model, and the Windows User Account Control (UAC) state. Those details, the researchers say, help the operator decide which RAT functionality is advisable given the defensive tooling present.
Functionally, LabubaRAT supports a broad set of operator capabilities: command execution, PowerShell execution, JavaScript execution, screenshot capture, file upload and download, archive handling, and SOCKS5 proxy support. Blackpoint Cyber summarized that "those capabilities gave the operator enough control to interact with the host, move files in and out of the environment, route traffic through the system, and maintain access without relying on a separate loader or narrowly scoped follow-on tool." The sample also implements user-level autostart.
Multiple communication channels and LabubaPanel branding
Resilience is built into the implant's communications. The researchers observed multiple supported channels, including HTTPS, WebView2, and DNS tunneling, allowing attackers to continue operating if one pathway is discovered and shut down. The malware's infrastructure carries the LabubaPanel title and a Labubu-themed favicon, giving the researchers the external naming clue that led to the RAT's informal name, LabubaRAT.
Blackpoint Cyber highlights that the sample is Rust-based and "combined runtime configuration, local state, host profiling, multiple communication paths, and operator tasking into a complete remote access tool." The combination of runtime configuration and multiple comms paths is a structural design that makes scaling and re-deployment easier for operators.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Watch for unexpected executables named nvidia-sysruntime.exe and for persistence or state stored in SQLite after a suspicious launch. The implant's explicit checks for a long list of defenses — from Microsoft Defender to CrowdStrike and SentinelOne — indicate operators may tune follow-on tasks based on which tools are present. Multiple comms channels, including DNS tunneling and WebView2, are specific telemetry vectors to monitor.
- Procurement and enterprise IT leaders: The analysis underscores a risk from tooling that mimics trusted vendor names. Because the binary accepts runtime configuration at launch rather than hard-coded C2s, defenders should consider deployment and validation controls that flag or block unexpected command-line arguments or unknown signed/unsigned binaries claiming to be vendor runtime utilities.
- End users and administrators: The implant gathers basic host attributes — hostname, RAM, CPU model, and UAC state — as part of its fingerprinting. Unexpected processes purporting to be NVIDIA components, particularly those that establish outbound HTTPS, DNS-tunneling activity, or register autostart entries, merit immediate review.
Blackpoint Cyber also notes "some signs that LabubuRAT is being offered under a malware-as-a-service (MaaS) model." That observation follows from the sample's framework-like design: a Rust-based RAT built to be configured, enrolled, and operated across multiple deployments. The combination of runtime configuration, reusable binary, and multiple C2 channels presents both a tactical challenge for defenders and a potential scaling path for operators.
For defenders and investigators the concrete tracing points are clear in the analysis: the executable name nvidia-sysruntime.exe, the observed C2 host pipicka[.]xyz, the SQLite-stored configuration, the inventory of checked browsers and security products, and the LabubaPanel branding. Tracking those artifacts will be central to attributing and containing future detections tied to this framework.
Read the original Blackpoint Cyber analysis at The Hacker News: https://thehackernews.com/2026/07/labubarat-masquerades-as-nvidia.html




