LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software
Essential information
- Published
- 14/07/2026 23:17
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- dns tunneling labubapanel labubarat rust socks5 proxy webview2
- Related entities
- 7 indicators, 5 observables, 23 techniques (mitre), 1 malware
Description
A previously undocumented remote access tool named LabubaRAT has been identified, masquerading as NVIDIA software through fake metadata and runtime artifacts. This Rust-based malware creates persistent footholds enabling hands-on operator activity including host profiling, security tool identification, command execution, file transfers, screenshot capture, and traffic proxying. The implant supports multiple communication methods including HTTPS polling, WebView2-based communication, and DNS tunneling. It uses a configurable framework model with organization, group, server, and API key parameters suggesting a Malware-as-a-Service platform. The malware maintains local state in SQLite databases and provides comprehensive remote access capabilities including PowerShell and JavaScript execution, SOCKS5 proxy support, and user-level persistence through registry autoruns. Infrastructure analysis revealed LabubaPanel branding with associated command and control servers hosted on German providers.