A new infostealer malware named Speagle is posing a significant threat to organizations utilizing Cobra DocGuard, a document security platform developed by China-based EsafeNet. This sophisticated malware expertly blends into its host environment, using Cobra DocGuard’s own infrastructure to conduct its data theft operations. Speagle’s primary objective is to actively locate and exfiltrate highly sensitive documents, including those related to Chinese ballistic missile technology.
Cobra DocGuard has a documented history of security vulnerabilities being exploited by threat actors. In September 2022, it was implicated in a supply chain attack targeting a Hong Kong-based gambling company. More recently, in August 2023, the Korplug backdoor (also known as PlugX) was delivered through the same platform against organizations across Hong Kong and other parts of Asia. This recurring pattern highlights Cobra DocGuard as a consistent target for attackers seeking to leverage trusted software as an entry point.
Speagle Malware Leverages Cobra DocGuard for Data Exfiltration
According to Symantec analysts, Speagle is identified as a 32-bit .NET executable designed to operate exclusively on systems where Cobra DocGuard is installed. The threat actor behind this malware, dubbed Runningcrab, has no confirmed links to previously identified threat groups. However, researchers suggest that the malware’s deliberate targeting of Cobra DocGuard users and its specific focus on defense-related documents point towards a likely state-sponsored actor or a highly skilled private contractor.
While the exact infection vector remains unconfirmed, initial findings suggest that a supply chain attack is a strong possibility. Speagle employs a legitimate Cobra DocGuard driver, known as the FileLock driver, to facilitate its self-deletion after its malicious operations are completed. This behavior is consistent with Trojanized software updates. The self-delete technique utilizes the SetFileInformationByHandle() API to rename and remove the running executable, a method previously documented by security researcher Jonas Lykkegaard. The use of the platform’s own driver for self-erasure strongly indicates an attacker with intimate knowledge of Cobra DocGuard’s internal workings.
Further complicating the threat landscape, Runningcrab has been observed hijacking legitimate Cobra DocGuard servers belonging to target organizations. These compromised servers are then repurposed as command-and-control (C2) infrastructure. By routing stolen data through servers that the victim organization already communicates with regularly, the attacker can make the exfiltration traffic appear entirely normal. This level of planning and execution suggests a well-resourced threat actor with pre-existing knowledge of the victim’s environment.
Speagle’s Data Collection and Exfiltration Tactics
Upon confirming the presence of Cobra DocGuard by examining specific Windows registry keys under the Esafenet CDG System path, Speagle initiates a structured, multi-phase data collection process. The first phase involves gathering essential system information, including the machine’s username, hostname, and unique Cobra DocGuard client identifiers stored in local configuration files. If a valid client ID is not identified, the malware immediately triggers its self-deletion routine and terminates without attempting to steal any data.
In the second phase, Speagle executes Windows Management Instrumentation (WMI) queries to obtain details about running processes, network connections, installed services, scheduled tasks, and firewall rules. Concurrently, it maps files and folders across all connected drives to construct a comprehensive overview of the compromised machine’s contents. The third phase is dedicated to extracting browser data, encompassing browsing history, autofill entries, downloaded files, bookmarks, and search shortcuts from directories associated with Chromium-based browsers.
A notable capability found in one variant of Speagle is its specific search for documents containing Chinese-language keywords directly related to defense technology. These keywords translate to terms such as “ballistic missile,” “hypersonic,” “warhead,” “Dongfeng,” and “Changjian,” referencing specific Chinese missile systems like the Dongfeng-27. This targeted approach underscores the potential strategic importance of the data being sought.
Following each data collection phase, Speagle compresses the gathered information using the Deflate algorithm. It then encrypts the data using AES-128 in CBC mode before transmitting it via HTTP POST requests to a hardcoded, compromised Cobra DocGuard server. Organizations utilizing Cobra DocGuard are strongly advised to meticulously audit their outbound network traffic for any unusual connections to IP addresses 60.30.147[.]18 and 222.222.254[.]165. Endpoint detection tools should be updated to flag Speagle’s four known SHA-256 file hashes.
Administrators are urged to verify the integrity of their Cobra DocGuard server installations and to review their software update channels for any unauthorized modifications. Promptly applying the latest endpoint protection signatures is also a critical step in mitigating this threat. The ongoing monitoring of Cobra DocGuard’s security posture and the potential emergence of new variants of Speagle will be crucial in understanding the full scope of this evolving threat.