Speagle hijacks the functionality and infrastructure of the legitimate Cobra DocGuard document protection software to stealthily harvest and exfiltrate sensitive information from infected systems. The campaign, tracked as Runningcrab and linked to prior supply-chain abuses of Cobra DocGuard, uses compromised servers and legitimate client drivers for C2 and cleanup, suggesting deliberate targeting possibly tied to espionage. #Speagle #CobraDocGuard
Keypoints
- Speagle abuses Cobra DocGuardβs client and servers to mask malicious activity and data exfiltration.
- The malware harvests system details, browser history, autofill data, and files from specific folders in phases.
- One Speagle variant can enable or disable types of data collection and search for files related to Dongfengβ27 (DFβ27) missiles.
- Researchers suspect a supply-chain delivery vector based on previous trojanized Cobra DocGuard updates.
- Attribution is unknown, but defenders believe a state-sponsored actor or a hired private contractor may be responsible (tracked as Runningcrab).
Read More: https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html