LabubaRAT Rust RAT masquerading as NVIDIA software on Windows
Malware Activity
Summary
Hide ▲
Show ▼
A newly documented Rust-based RAT, LabubaRAT, now gives operators Windows host control with file movement, screenshot capture, and traffic proxying. The malware masquerades as NVIDIA software and uses nvidia-sysruntime.exe to blend into target environments. It can communicate over HTTPS, WebView2, or DNS tunneling, which makes shutdown harder once it lands. Researchers also saw signs of a malware-as-a-service model, which could widen reuse across deployments.
Related Happenings
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
OnyxC2 stealer remote-access and credential-theft activity
Malware Activity
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
OnyxC2 stealer remote-access and credential-theft activity
Malware ActivityAbout this happening: The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware Activity
H score16
First: 28.05.2026 00:31
Last: 28.05.2026 00:31
Sources 1
About this happening:
A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware ActivityAbout this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
H score23
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware Activity
H score24
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware ActivityAbout this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
Timeline
-
14.07.2026 19:52 2 articles · 1h ago
Blackpoint Cyber identifies LabubaRAT masquerading as NVIDIA software on Windows hosts
Technical Analysis UpdateBlackpoint Cyber identifies LabubaRAT as a previously undocumented Rust-based remote access trojan that blends into Windows environments by masquerading as NVIDIA software. The malware starts from nvidia-sysruntime.exe, accepts runtime command-line configuration instead of hard-coded C2 data, stores settings in a local SQLite database, profiles the host and installed security tools, and supports command execution, PowerShell execution, JavaScript execution, screenshot capture, file upload and download, archive handling, SOCKS5 proxy support, HTTPS, WebView2, and DNS tunneling.
Show sources
- LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts — thehackernews.com — 14.07.2026 19:52
- LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts — thehackernews.com — 14.07.2026 19:52