Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software

0
Medium
Published: 07/14/2026 (07/14/2026, 21:17:45 UTC)
Source: AlienVault OTX General

Description

LabubaRAT is a Rust-based remote access tool that masquerades as NVIDIA software using fake metadata and runtime artifacts. It establishes persistent access on infected hosts, enabling operators to perform host profiling, identify security tools, execute commands, transfer files, capture screenshots, and proxy traffic. The malware supports multiple communication channels including HTTPS polling, WebView2-based communication, and DNS tunneling. It uses a configurable framework with parameters suggesting a Malware-as-a-Service model and maintains local state in SQLite databases. LabubaRAT also supports PowerShell and JavaScript execution, SOCKS5 proxy functionality, and user-level persistence via registry autoruns. Its command and control infrastructure, branded as LabubaPanel, is hosted on German providers.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 14:34:27 UTC

Technical Analysis

LabubaRAT is a previously undocumented remote access tool written in Rust that disguises itself as NVIDIA software through falsified metadata and runtime artifacts. It creates persistent footholds on compromised systems, allowing hands-on operator activity such as host profiling, security tool detection, command execution, file transfers, screenshot capture, and traffic proxying. The implant communicates via multiple methods including HTTPS polling, WebView2-based communication, and DNS tunneling. Its modular framework uses organization, group, server, and API key parameters indicative of a Malware-as-a-Service platform. The malware stores local state in SQLite databases and provides extensive remote access capabilities including PowerShell and JavaScript execution, SOCKS5 proxy support, and persistence through registry autoruns. Infrastructure analysis shows LabubaPanel branding with command and control servers hosted by German providers. Indicators include specific file hashes, IP addresses, and domains associated with the malware.

Potential Impact

LabubaRAT enables attackers to maintain persistent remote access to infected hosts, facilitating comprehensive control including command execution, data exfiltration, and network traffic proxying. Its ability to evade detection by masquerading as legitimate NVIDIA software and use multiple communication channels increases its stealth and operational flexibility. The malware's persistence mechanisms and modular design allow sustained unauthorized access and potential lateral movement within targeted environments.

Mitigation Recommendations

No official patch or remediation is available as this is malware rather than a software vulnerability. Mitigation should focus on detection and removal using updated endpoint protection solutions capable of identifying LabubaRAT indicators such as the provided hashes, IP addresses, and domains. Network monitoring for suspicious HTTPS polling, WebView2 communications, and DNS tunneling may aid detection. Since the malware uses user-level persistence via registry autoruns, reviewing and cleaning autorun entries is recommended. Organizations should also verify the authenticity of NVIDIA software installations to prevent masquerading attacks. There is no indication that this malware is currently exploited in the wild, but vigilance is advised.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blackpointcyber.com/blog/labubarat-a-rust-based-remote-access-tool-masquerading-as-nvidia-software/"]
Adversary
null
Pulse Id
6a56a77949905f89b073e5fd
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashd8bf355a198fb5db3ea65cfdfcdfbd19
hash8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d
hashb7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328

Ip

ValueDescriptionCopy
ip168.222.254.204
ip191.44.109.130
ip87.120.108.18

Url

ValueDescriptionCopy
urlhttps://pipicka.xyz

Domain

ValueDescriptionCopy
domainpipicka.xyz

Threat ID: 6a5796db68715ace43de0d07

Added to database: 07/15/2026, 14:19:07 UTC

Last enriched: 07/15/2026, 14:34:27 UTC

Last updated: 07/15/2026, 16:00:48 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses