{"id":326,"date":"2026-03-19T21:23:30","date_gmt":"2026-03-19T21:23:30","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=326"},"modified":"2026-03-19T21:23:30","modified_gmt":"2026-03-19T21:23:30","slug":"speagle-malware-hijacks-cobra-docguard-to-steal-data-via-compromised-servers","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=326","title":{"rendered":"Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 19, 2026<\/span><\/span><span class=\"p-tags\">Cyber Espionage \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZSgCN7uAT0GxA_9D78X0Q9nRTRmUKPnhIvtgPrg32f62joth8HoaFjuZ68g1l10CVcTjQXiaw3ueNoItw0YN8edclDT-c6IHodK_nSRjPFqUH2hTfceviQi1UZ_6Mo2NvGlkVNIdx3CvxpobdFm3jVUuvvdIDcn5LIKQFNNFe7MScF824trW9pajXcM3l\/s1700-e365\/locks.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have flagged a new malware dubbed <strong>Speagle<\/strong> that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard.<\/p>\n<p>\u00abSpeagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server,\u00bb Symantec and Carbon Black researchers <a href=\"https:\/\/www.security.com\/threat-intelligence\/speagle-cobradocguard-infostealer\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report published today.<\/p>\n<p>Cobra DocGuard is a document security and encryption platform developed by EsafeNet. The abuse of this software in real-world attacks has been publicly recorded twice to date. In January 2023, ESET documented an intrusion where a gambling company in Hong Kong was compromised in September 2022 via a malicious update pushed by the software.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Later that August, Symantec highlighted the activity of a new threat cluster codenamed Carderbee, which was found using a trojanized version of the program to deploy PlugX, a backdoor widely used by Chinese hacking groups like Mustang Panda. The attacks targeted multiple organizations in Hong Kong and other Asian countries.<\/p>\n<p>Speagle remains unattributed to date. But what makes the malware noteworthy is that it&#8217;s designed to gather and exfiltrate data from only those systems that have the Cobra DocGuard data protection software installed. The activity is being tracked under the moniker Runningcrab.<\/p>\n<p>\u00abThis indicates deliberate targeting, possibly to facilitate intelligence collection or industrial espionage,\u00bb the Broadcom-owned threat hunting teams said. \u00abAt present, we believe the most likely hypotheses are that it is either the work of a state-sponsored actor or the work of a private contractor available for hire.\u00bb<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgV9OJAGiesaexMSrxC61ZuTyY7JrRNFPjO8PCl9F0az-S4TcDosgcwxRswIM6i0FNzuzsSIAnRIcWqF8iAY3ZWrbWbT2LfJ3MwBWp7V498n427jW1zFOTqmD6ow_OXL90QvNuzvchiVk569zZsnL0Q75hqeet-YwAHw7Xp06HvvJE2lg9BkdRtKjn7jbt5\/s1700-e365\/code.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgV9OJAGiesaexMSrxC61ZuTyY7JrRNFPjO8PCl9F0az-S4TcDosgcwxRswIM6i0FNzuzsSIAnRIcWqF8iAY3ZWrbWbT2LfJ3MwBWp7V498n427jW1zFOTqmD6ow_OXL90QvNuzvchiVk569zZsnL0Q75hqeet-YwAHw7Xp06HvvJE2lg9BkdRtKjn7jbt5\/s1700-e365\/code.png\" alt=\"\" border=\"0\" data-original-height=\"460\" data-original-width=\"900\"\/><\/a><\/div>\n<p>Exactly how the malware is delivered to victims is unknown, although it&#8217;s suspected that it may have been done via a supply chain attack, as evidenced by the two aforementioned cases.\u00a0<\/p>\n<p>In addition, the central role played by the security software and its infrastructure deserves a mention. Not only does Speagle use a legitimate Cobra DocGuard server for command-and-control (C2) and as a data exfiltration point, it also invokes a driver associated with the program to delete itself from the compromised host.<\/p>\n<p>The 32-bit .NET executable, once launched, first checks the installation folder of Cobra DocGuard and then proceeds to harvest and transmit data from the infected machine in phases. This includes details about the system and files located in specific folders, such as those that contain web browser history and autofill data.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>What&#8217;s more, one variant of Speagle has been found to incorporate additional functionality to turn on\/off certain types of data collection, as well as search for files related to Chinese ballistic missiles like Dongfeng-27 (aka DF-27).<\/p>\n<p>\u00abSpeagle is a novel, parasitic threat that cleverly makes use of Cobra DocGuard&#8217;s client to mask its malicious activity and its infrastructure to hide exfiltration traffic,\u00bb researchers said. \u00abIts developer no doubt took notice of previous supply chain attacks using the software and may have selected it both for its perceived vulnerability and its high rate of use among targeted organizations.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 19, 2026Cyber Espionage \/ Threat Intelligence Cybersecurity researchers have flagged a new malware dubbed Speagle that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":327,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[775,227,38,776,774,42,777,773,571],"class_list":["post-326","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-cobra","tag-compromised","tag-data","tag-docguard","tag-hijacks","tag-malware","tag-servers","tag-speagle","tag-steal"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=326"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/326\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/327"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}