New Speagle Malware Hijacks Cobra DocGuard for State-Sponsored Espionage

Speagle: A Supply Chain Weapon Disguised as Legitimate Traffic

Cybersecurity researchers have uncovered a sophisticated new malware called Speagle that hijacks the infrastructure of Cobra DocGuard, a legitimate document security and encryption platform developed by EsafeNet. The malware uses compromised Cobra DocGuard servers as command-and-control (C2) nodes and data exfiltration points, disguising malicious traffic as normal client-server communications.

Attribute	Value
Malware Name	Speagle
Type	.NET Infostealer / Espionage Tool
Campaign Tracked As	Runningcrab
Target Software	Cobra DocGuard (EsafeNet)
C2 Method	Compromised Cobra DocGuard servers
Attribution	Suspected state-sponsored or private contractor
Evasion	Uses legitimate Cobra DocGuard driver for self-deletion

How Speagle Works

Speagle is a 32-bit .NET executable that operates in a carefully orchestrated sequence:

Environment Verification — Checks for the Cobra DocGuard installation folder, ensuring it only runs on intended targets
Phased Data Collection — Harvests system information, web browser history, autofill data, and files from specific folders
Covert Exfiltration — Transmits stolen data to a compromised Cobra DocGuard server, blending with legitimate traffic
Self-Destruction — Invokes a legitimate Cobra DocGuard driver to delete itself from the compromised host, leaving minimal forensic traces

Deliberate Targeting and Espionage Links

The malware's design reveals deliberate targeting — it only activates on systems with Cobra DocGuard installed, indicating the threat actor has specific intelligence objectives rather than broad criminal motivation. One variant incorporates functionality to search for files related to Chinese ballistic missiles, specifically the Dongfeng-27 (DF-27), strongly suggesting a state-sponsored espionage motive.

Impact Area	Description
Supply Chain Compromise	Legitimate Cobra DocGuard infrastructure repurposed for C2
Intelligence Collection	Targeted data theft from organizations using document security software
Military Espionage	Variants search for classified ballistic missile documentation
Detection Evasion	Malicious traffic indistinguishable from legitimate Cobra DocGuard communications
Anti-Forensics	Self-deletion via legitimate drivers complicates incident response

Recommendations

For Organizations Using Cobra DocGuard

Audit Cobra DocGuard server integrity — check for unauthorized modifications or unusual outbound traffic
Monitor for anomalous data volumes in client-server communications
Review system logs for unexpected .NET processes interacting with Cobra DocGuard directories
Contact EsafeNet for indicators of compromise and server integrity verification tools

For Security Teams

Implement network traffic analysis that can detect data exfiltration masquerading as legitimate application traffic
Deploy endpoint detection and response (EDR) capable of monitoring .NET assemblies
Watch for unusual driver invocations, particularly those associated with Cobra DocGuard
Consider the supply chain risk of any document security software with server-side components

Key Takeaways

Speagle is a sophisticated .NET infostealer that hijacks Cobra DocGuard infrastructure for C2 and exfiltration
The malware only activates on systems with Cobra DocGuard installed, indicating deliberate targeting
One variant searches for Chinese ballistic missile data (DF-27), pointing to state-sponsored espionage
Traffic blends with legitimate Cobra DocGuard communications, making detection extremely difficult
The malware uses legitimate drivers for self-deletion, complicating forensic analysis
Tracked as Runningcrab, attributed to either a state-sponsored actor or private contractor

Sources

Speagle: A Supply Chain Weapon Disguised as Legitimate Traffic

Attribute

Value

Malware Name

Speagle

Type

.NET Infostealer / Espionage Tool

Campaign Tracked As

Runningcrab

Target Software

Cobra DocGuard (EsafeNet)

C2 Method

Compromised Cobra DocGuard servers

Attribution

Suspected state-sponsored or private contractor

Evasion

Uses legitimate Cobra DocGuard driver for self-deletion

How Speagle Works

Speagle is a 32-bit .NET executable that operates in a carefully orchestrated sequence:

Environment Verification — Checks for the Cobra DocGuard installation folder, ensuring it only runs on intended targets

Phased Data Collection — Harvests system information, web browser history, autofill data, and files from specific folders

Covert Exfiltration — Transmits stolen data to a compromised Cobra DocGuard server, blending with legitimate traffic

Self-Destruction — Invokes a legitimate Cobra DocGuard driver to delete itself from the compromised host, leaving minimal forensic traces

Deliberate Targeting and Espionage Links

Impact Area

Description

Supply Chain Compromise

Legitimate Cobra DocGuard infrastructure repurposed for C2

Intelligence Collection

Targeted data theft from organizations using document security software

Military Espionage

Variants search for classified ballistic missile documentation

Detection Evasion

Malicious traffic indistinguishable from legitimate Cobra DocGuard communications

Anti-Forensics

Self-deletion via legitimate drivers complicates incident response

Recommendations

For Organizations Using Cobra DocGuard

Audit Cobra DocGuard server integrity — check for unauthorized modifications or unusual outbound traffic

Monitor for anomalous data volumes in client-server communications

Review system logs for unexpected .NET processes interacting with Cobra DocGuard directories

Contact EsafeNet for indicators of compromise and server integrity verification tools

For Security Teams

Implement network traffic analysis that can detect data exfiltration masquerading as legitimate application traffic

Deploy endpoint detection and response (EDR) capable of monitoring .NET assemblies

Watch for unusual driver invocations, particularly those associated with Cobra DocGuard

Consider the supply chain risk of any document security software with server-side components

Key Takeaways

Speagle is a sophisticated .NET infostealer that hijacks Cobra DocGuard infrastructure for C2 and exfiltration

The malware only activates on systems with Cobra DocGuard installed, indicating deliberate targeting

One variant searches for Chinese ballistic missile data (DF-27), pointing to state-sponsored espionage

Traffic blends with legitimate Cobra DocGuard communications, making detection extremely difficult

The malware uses legitimate drivers for self-deletion, complicating forensic analysis

Tracked as Runningcrab, attributed to either a state-sponsored actor or private contractor

Sources

New Speagle Malware Hijacks Cobra DocGuard for State-Sponsored Espionage

Speagle: A Supply Chain Weapon Disguised as Legitimate Traffic

How Speagle Works

Deliberate Targeting and Espionage Links

Recommendations

For Organizations Using Cobra DocGuard

For Security Teams

Key Takeaways

Sources

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

New Speagle Malware Hijacks Cobra DocGuard for State-Sponsored Espionage

Speagle: A Supply Chain Weapon Disguised as Legitimate Traffic

How Speagle Works

Deliberate Targeting and Espionage Links

Recommendations

For Organizations Using Cobra DocGuard

For Security Teams

Key Takeaways

Sources

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Backdoored Telnyx PyPI Package Pushes Malware Hidden in WAV Audio

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files