LabubaRAT, a newly identified Rust-based remote access tool (RAT), has come to light through the diligent efforts of Blackpoint Cyber. This sophisticated malware cleverly disguises itself as NVIDIA software, facilitating post-compromise operations on Windows systems. Researchers have noted that LabubaRAT establishes a “reusable foothold for hands-on activity,” enabling it to perform a range of functions once deployed.
Upon installation, LabubaRAT can effectively profile the host system, identify installed security tools, execute operator commands, transfer files, capture screenshots, and proxy network traffic through the compromised machine. The malware derives its name from the discovery of a “LabubaPanel” title and a Labubu-themed favicon within its command-and-control (C2) infrastructure.
Configuration built for reuse
Distinctively, LabubaRAT does not hardcode its infrastructure into the binary. Instead, it retrieves its configuration at launch via command-line arguments or corresponding environment variables. This flexibility allows operators to specify essential parameters such as the command-and-control server, organization, group tag, and API key at runtime. These values dictate how the malware connects to its infrastructure and the frequency of its command check-ins. Alternatively, operators can consolidate these parameters into a single Base64-encoded configuration block, which the malware decodes during execution.
Researchers highlighted that “because those values were provided at launch, the same compiled binary could be reused with different infrastructure, organizations, or campaign groupings instead of relying on a hardcoded server.” Following enrollment with its command-and-control server, LabubaRAT maintains local state in a SQLite database named nvctr_sys.db and supports communication through HTTPS polling, Microsoft Edge WebView2, and DNS tunneling. This multi-channel communication approach ensures connectivity remains intact even if one path becomes unavailable.
A full remote access toolkit
The analysis of LabubaRAT revealed a robust suite of remote access capabilities. These include command execution, PowerShell and JavaScript execution, screenshot capture, file uploads and downloads, archive handling, and SOCKS5 proxy support. Furthermore, the malware can establish persistence by creating a Windows Run registry key, enabling it to launch automatically after a system reboot.
According to researchers, “those capabilities gave the operator enough control to interact with the host, move files in and out of the environment, route traffic through the system, and maintain access without relying on a separate loader or narrowly scoped follow-on tool.”
Disguised as NVIDIA software
The entry point for this attack chain is an executable named nvidia-sysruntime.exe, an unsigned 64-bit binary that masquerades as NVIDIA’s container runtime toolkit. The version information further reinforces this deception, featuring references to NVIDIA Corporation, NVIDIA Container Runtime Monitor, and NVIDIA Container Toolkit, making the file appear legitimate at first glance.
Before executing operator commands, LabubaRAT conducts a thorough profiling of the compromised host. It checks for installed browsers such as Chrome, Firefox, Edge, and Brave, while also scanning for endpoint security products including Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Sophos, and Bitdefender, among others, through Windows registry uninstall keys. Additionally, the malware gathers information on the hostname, CPU and memory specifications, domain membership, and User Account Control (UAC) status, providing operators with a comprehensive overview of the environment prior to taking further action.
Researchers concluded that “LabubaRAT is more than a renamed binary with fake NVIDIA metadata. The sample combined runtime configuration, local state, host profiling, multiple communication paths, and operator tasking into a complete remote access tool.” Its architecture suggests that LabubaRAT was designed for reuse across various operations, although Blackpoint refrained from categorizing it as a malware-as-a-service offering. To aid in the defense against this threat, the company has shared indicators of compromise to help identify and detect LabubaRAT activity.