LabubaRAT Poses as NVIDIA Software: What to Check

Brendan Smith
Brendan Smith - Cybersecurity Analyst
6 Min Read
A fake NVIDIA runtime file split open to reveal remote-control cables and a camera
LabubaRAT used an unsigned NVIDIA-themed executable to hide full remote-control capabilities.

Blackpoint Cyber has identified LabubaRAT, a previously undocumented Rust-based remote access trojan that disguises itself as NVIDIA software on Windows. The analyzed file, nvidia-sysruntime.exe, was unsigned but claimed to be an “NVIDIA Container Runtime Monitor.” If that exact file ran on a PC, treat the machine as remotely controlled—not as a graphics-driver problem.

The report does not describe a vulnerability in NVIDIA products or prove that every NVIDIA-looking process is malicious. The useful distinction is the combination of an unexpected executable, no valid signature, mismatched vendor metadata, LabubaRAT artifacts, and remote-control behavior.

Analysis of nvidia-sysruntime.exe showing an unsigned file with NVIDIA-themed version metadata
The analyzed nvidia-sysruntime.exe was unsigned despite claiming NVIDIA Corporation and NVIDIA Container Runtime Monitor metadata. Source: Blackpoint Cyber APG.

What LabubaRAT can do on a Windows PC

LabubaRAT is a complete remote-access implant rather than a small downloader. It can inventory the host and installed security tools, run cmd.exe, PowerShell, or JavaScript tasks, capture screenshots, upload and download files, create archives, and turn the infected computer into a SOCKS5 proxy. It supports HTTPS polling, WebView2 communication, and DNS tunneling.

Artifact Why it matters
nvidia-sysruntime.exe Unsigned 64-bit Rust executable with false NVIDIA version information.
nvctr_sys.db SQLite database used to store enrollment, server, device, DNS, and polling state.
Local\NVIDIAContainerMonitor_SingleInstance Mutex that keeps one copy running while preserving the NVIDIA disguise.
HKCU Run persistence An install mode can add user-level autostart with encoded configuration arguments.
pipicka[.]xyz Observed command server whose page exposed the LabubaPanel name and Labubu-themed favicon.

How to check whether nvidia-sysruntime.exe is the RAT

  1. Find the full path and command line. In Task Manager, open the process file location. Also check Task Manager Startup apps and Microsoft Autoruns for an entry that launches the file with a long Base64-like argument.
  2. Check the digital signature. Open the file’s Properties and look for a valid Digital Signatures tab. The analyzed LabubaRAT sample was unsigned despite claiming NVIDIA Corporation in version metadata.
  3. Calculate the hash without running the file. In PowerShell, use Get-FileHash -Algorithm SHA256 "C:\path\to\nvidia-sysruntime.exe". Blackpoint reported SHA-256 b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328.
  4. Look for supporting artifacts. Search the same folder and user profile for nvctr_sys.db, its -wal/-shm files, unexpected wupd_ JavaScript files, and an HKCU Run value that relaunches the executable.
  5. Do not judge by the NVIDIA name alone. Legitimate NVIDIA software should come from NVIDIA, Windows Update, or the PC manufacturer and carry a consistent path, signature, package history, and behavior.

For a safer way to inspect unknown autoruns before deleting them, use the suspicious startup apps checklist. The broader remote access trojan guide explains why screenshot, shell, file-transfer, and proxy capabilities change the response from simple file removal to full incident cleanup.

What to do if LabubaRAT ran

  1. Disconnect the PC from the network. This interrupts command polling, file transfer, proxying, and new operator tasks. In a managed environment, preserve the file path, command line, hash, and relevant logs before cleanup.
  2. End the process and disable its autorun. Do not delete unrelated NVIDIA drivers or services. Disable only the verified malicious entry and keep a note of its original path and registry value.
  3. Run a full malware scan. Removing the visible executable may leave the autorun, database, scripts, downloaded tools, or another payload. Use Gridinsoft Anti-Malware to scan for the implant and persistence, remove detections, reboot, and scan again if activity returns.
  4. Recheck persistence and traffic. Review Startup, Autoruns, Task Scheduler, services, recent downloads, and outbound DNS/HTTPS activity. Confirm that nvidia-sysruntime.exe, nvctr_sys.db, and unknown encoded launch commands do not return.
  5. Reset exposed accounts from a clean device. The report does not claim a dedicated password-stealing module, but remote command, screenshot, and file access mean an operator could reach data available to the user. Change important passwords, revoke active sessions, and review MFA after the endpoint is clean.
  6. Reinstall only from an official source. If a real NVIDIA component is needed, download it through NVIDIA’s official software/driver pages, Windows Update, or the PC maker instead of restoring the suspicious file.
Check this NVIDIA-looking process before trusting it

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan for LabubaRAT leftovers

Who needs to act?

Act now if the exact filename or hash appears, an unsigned NVIDIA-themed executable launches from an unexpected location, the LabubaRAT database/mutex is present, or the process shows remote-control and tunneling behavior. Owning an NVIDIA GPU or having signed NVIDIA drivers installed does not by itself indicate infection. The original report does not identify a mass-delivery method, so exposure should be verified from artifacts rather than assumed from the brand name.

References

  1. Sam Decker and Nevan Beal. “LabubaRAT: A Rust Based Remote Access Tool Masquerading as NVIDIA Software.” Blackpoint Cyber Adversary Pursuit Group, July 14, 2026, accessed July 14, 2026. https://blackpointcyber.com/blog/labubarat-a-rust-based-remote-access-tool-masquerading-as-nvidia-software/
  2. NVIDIA. “NVIDIA Software.” NVIDIA, accessed July 14, 2026. https://www.nvidia.com/en-us/software/
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?