216.73.216.204

LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software

· Published 14/07/2026 23:17

Export JSON

Essential information

Published
14/07/2026 23:17
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
dns tunneling labubapanel labubarat rust socks5 proxy webview2
Related entities
7 indicators, 5 observables, 23 techniques (mitre), 1 malware

Description

A previously undocumented remote access tool named LabubaRAT has been identified, masquerading as NVIDIA software through fake metadata and runtime artifacts. This -based malware creates persistent footholds enabling hands-on operator activity including host profiling, security tool identification, command execution, file transfers, screenshot capture, and traffic proxying. The implant supports multiple communication methods including HTTPS polling, WebView2-based communication, and . It uses a configurable framework model with organization, group, server, and API key parameters suggesting a Malware-as-a-Service platform. The malware maintains local state in SQLite databases and provides comprehensive remote access capabilities including PowerShell and JavaScript execution, support, and user-level persistence through registry autoruns. Infrastructure analysis revealed LabubaPanel branding with associated command and control servers hosted on German providers.

External references