Cybersecurity experts have identified a newly discovered malware strain named Speagle, which manipulates the features and infrastructure of a legitimate document security tool, Cobra DocGuard, to carry out covert data theft operations.
According to a recent report by Symantec and Carbon Black researchers, the malware quietly collects sensitive data from infected systems and transfers it to a compromised Cobra DocGuard server. This process is cleverly disguised as normal communication between the software client and its server, making detection significantly harder.
Cobra DocGuard, developed by EsafeNet, is widely used for document encryption and security. However, this is not the first time the software has been misused in real-world cyberattacks. In early 2023, security researchers uncovered an incident involving a Hong Kong-based gambling company that was compromised through a malicious software update linked to Cobra DocGuard.
Later that same year, another campaign was exposed involving a threat group known as Carderbee. In that case, attackers deployed a modified version of the software to install PlugX, a well-known backdoor tool frequently used by advanced threat actors. These attacks mainly targeted organizations across Hong Kong and other parts of Asia.
Targeted Data Collection Raises Concerns
What makes Speagle particularly concerning is its selective targeting capability. The malware is specifically designed to operate only on systems where Cobra DocGuard is installed, indicating a highly focused attack strategy. Security teams are currently tracking this activity under the name “Runningcrab.”
Experts believe this level of precision suggests a deliberate effort, possibly linked to intelligence gathering or industrial espionage. Analysts from Broadcom’s threat research division suggest that the operation could be associated with either state-sponsored actors or professional cyber mercenaries.
Suspected Supply Chain Attack Vector
Although the exact method used to distribute Speagle remains unclear, researchers suspect a supply chain attack may be involved. This assumption is based on similarities with previous incidents where Cobra DocGuard updates were exploited to infiltrate systems.
Another critical aspect of this campaign is the malware’s use of legitimate infrastructure. Speagle relies on Cobra DocGuard servers for command-and-control communication and data exfiltration. Additionally, it uses a legitimate driver from the software to remove traces of itself from infected machines, enhancing its stealth capabilities.
Advanced Data Harvesting Techniques
Once executed, the 32-bit .NET-based malware checks whether Cobra DocGuard is installed on the system. If found, it begins collecting data in multiple stages. The stolen information includes system details and files from specific directories, such as browser history and autofill data.
In some variants, Speagle includes advanced features that allow attackers to control what type of data is collected. It can also search for files related to sensitive topics, including Chinese missile systems like Dongfeng-27 (DF-27), highlighting its potential use in espionage operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
