Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers
Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers
https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html
Publish Date: 2026-03-19 15:16:00
Source Domain: thehackernews.com
Cybersecurity researchers have flagged a new malware dubbed Speagle that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard.
“Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server,” Symantec and Carbon Black researchers said in a report published today.
Cobra DocGuard is a document security and encryption platform developed by EsafeNet. The abuse of this software in real-world attacks has been publicly recorded twice to date. In January 2023, ESET documented an intrusion where a gambling company in Hong Kong was compromised in September 2022 via a malicious update pushed by the software.
Later that August, Symantec highlighted the activity of a new threat cluster codenamed Carderbee, which was found using a trojanized version of the program to deploy PlugX, a backdoor widely used by Chinese hacking groups like Mustang Panda. The attacks targeted multiple organizations in Hong Kong and other Asian countries.
Speagle remains unattributed to date. But what makes the malware noteworthy is that it’s designed to gather and exfiltrate data from only those systems that have the Cobra DocGuard data protection software installed. The activity is being tracked under the moniker Runningcrab.
“This indicates deliberate targeting, possibly to facilitate intelligence collection or industrial espionage,” the Broadcom-owned threat hunting teams said. “At present, we believe the most likely hypotheses are that it is either the work of a state-sponsored actor or the work of a private contractor available for hire.”
Exactly how the malware is delivered to victims is unknown, although it’s suspected that it may have been done via a supply chain attack, as…
