LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software
LabubaRAT is a Rust-based remote access tool that masquerades as NVIDIA software using fake metadata and runtime artifacts. It establishes persistent access on infected hosts, enabling operators to perform host profiling, identify security tools, execute commands, transfer files, capture screenshots, and proxy traffic. The malware supports multiple communication channels including HTTPS polling, WebView2-based communication, and DNS tunneling. It uses a configurable framework with parameters suggesting a Malware-as-a-Service model and maintains local state in SQLite databases. LabubaRAT also supports PowerShell and JavaScript execution, SOCKS5 proxy functionality, and user-level persistence via registry autoruns. Its command and control infrastructure, branded as LabubaPanel, is hosted on German providers.
AI Analysis
Technical Summary
LabubaRAT is a previously undocumented remote access tool written in Rust that disguises itself as NVIDIA software through falsified metadata and runtime artifacts. It creates persistent footholds on compromised systems, allowing hands-on operator activity such as host profiling, security tool detection, command execution, file transfers, screenshot capture, and traffic proxying. The implant communicates via multiple methods including HTTPS polling, WebView2-based communication, and DNS tunneling. Its modular framework uses organization, group, server, and API key parameters indicative of a Malware-as-a-Service platform. The malware stores local state in SQLite databases and provides extensive remote access capabilities including PowerShell and JavaScript execution, SOCKS5 proxy support, and persistence through registry autoruns. Infrastructure analysis shows LabubaPanel branding with command and control servers hosted by German providers. Indicators include specific file hashes, IP addresses, and domains associated with the malware.
Potential Impact
LabubaRAT enables attackers to maintain persistent remote access to infected hosts, facilitating comprehensive control including command execution, data exfiltration, and network traffic proxying. Its ability to evade detection by masquerading as legitimate NVIDIA software and use multiple communication channels increases its stealth and operational flexibility. The malware's persistence mechanisms and modular design allow sustained unauthorized access and potential lateral movement within targeted environments.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Mitigation should focus on detection and removal using updated endpoint protection solutions capable of identifying LabubaRAT indicators such as the provided hashes, IP addresses, and domains. Network monitoring for suspicious HTTPS polling, WebView2 communications, and DNS tunneling may aid detection. Since the malware uses user-level persistence via registry autoruns, reviewing and cleaning autorun entries is recommended. Organizations should also verify the authenticity of NVIDIA software installations to prevent masquerading attacks. There is no indication that this malware is currently exploited in the wild, but vigilance is advised.
Indicators of Compromise
- hash: d8bf355a198fb5db3ea65cfdfcdfbd19
- hash: 8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d
- hash: b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328
- ip: 168.222.254.204
- ip: 191.44.109.130
- ip: 87.120.108.18
- url: https://pipicka.xyz
- domain: pipicka.xyz
LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software
Description
LabubaRAT is a Rust-based remote access tool that masquerades as NVIDIA software using fake metadata and runtime artifacts. It establishes persistent access on infected hosts, enabling operators to perform host profiling, identify security tools, execute commands, transfer files, capture screenshots, and proxy traffic. The malware supports multiple communication channels including HTTPS polling, WebView2-based communication, and DNS tunneling. It uses a configurable framework with parameters suggesting a Malware-as-a-Service model and maintains local state in SQLite databases. LabubaRAT also supports PowerShell and JavaScript execution, SOCKS5 proxy functionality, and user-level persistence via registry autoruns. Its command and control infrastructure, branded as LabubaPanel, is hosted on German providers.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LabubaRAT is a previously undocumented remote access tool written in Rust that disguises itself as NVIDIA software through falsified metadata and runtime artifacts. It creates persistent footholds on compromised systems, allowing hands-on operator activity such as host profiling, security tool detection, command execution, file transfers, screenshot capture, and traffic proxying. The implant communicates via multiple methods including HTTPS polling, WebView2-based communication, and DNS tunneling. Its modular framework uses organization, group, server, and API key parameters indicative of a Malware-as-a-Service platform. The malware stores local state in SQLite databases and provides extensive remote access capabilities including PowerShell and JavaScript execution, SOCKS5 proxy support, and persistence through registry autoruns. Infrastructure analysis shows LabubaPanel branding with command and control servers hosted by German providers. Indicators include specific file hashes, IP addresses, and domains associated with the malware.
Potential Impact
LabubaRAT enables attackers to maintain persistent remote access to infected hosts, facilitating comprehensive control including command execution, data exfiltration, and network traffic proxying. Its ability to evade detection by masquerading as legitimate NVIDIA software and use multiple communication channels increases its stealth and operational flexibility. The malware's persistence mechanisms and modular design allow sustained unauthorized access and potential lateral movement within targeted environments.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Mitigation should focus on detection and removal using updated endpoint protection solutions capable of identifying LabubaRAT indicators such as the provided hashes, IP addresses, and domains. Network monitoring for suspicious HTTPS polling, WebView2 communications, and DNS tunneling may aid detection. Since the malware uses user-level persistence via registry autoruns, reviewing and cleaning autorun entries is recommended. Organizations should also verify the authenticity of NVIDIA software installations to prevent masquerading attacks. There is no indication that this malware is currently exploited in the wild, but vigilance is advised.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blackpointcyber.com/blog/labubarat-a-rust-based-remote-access-tool-masquerading-as-nvidia-software/"]
- Adversary
- null
- Pulse Id
- 6a56a77949905f89b073e5fd
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashd8bf355a198fb5db3ea65cfdfcdfbd19 | — | |
hash8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d | — | |
hashb7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip168.222.254.204 | — | |
ip191.44.109.130 | — | |
ip87.120.108.18 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://pipicka.xyz | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainpipicka.xyz | — |
Threat ID: 6a5796db68715ace43de0d07
Added to database: 07/15/2026, 14:19:07 UTC
Last enriched: 07/15/2026, 14:34:27 UTC
Last updated: 07/15/2026, 16:00:48 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.