Speagle Malware Targets Cobra DocGuard
Security researchers have identified a new malware family named Speagle. The code hijacks the functionality of the legitimate document security product Cobra DocGuard, developed by EsafeNet.
Speagle is designed to collect sensitive data from computers that have Cobra DocGuard installed and send it to a compromised Cobra DocGuard server. The exfiltration traffic is disguised as normal client&8211;server communication, making detection difficult.
Known incidents
- January 2023 - ESET reported a breach of a Hong‑Kong gambling company where a malicious update of Cobra DocGuard delivered Speagle.
- August 2023 - Symantec described a threat cluster called Carderbee that used a trojanized version of Cobra DocGuard to install the PlugX backdoor.
Possible attribution
At this time the authors of Speagle have not been identified. The activity is being tracked under the name Runningcrab. Analysts consider two main possibilities:
- A state‑backed group seeking intelligence or economic advantage.
- A private contractor offering cyber‑espionage services for hire.
Delivery method
The exact infection vector is unknown, but the pattern of previous attacks suggests a supply‑chain compromise, where a legitimate update of Cobra DocGuard was replaced with a malicious version.
Mitigation steps
- Verify the integrity of Cobra DocGuard updates using digital signatures.
- Monitor network traffic for unusual connections to Cobra DocGuard servers.
- Deploy endpoint detection tools that can flag unknown processes interacting with the DocGuard client.
- Apply the latest security patches from EsafeNet.
Organizations using Cobra DocGuard should review their security controls and consider additional monitoring for signs of Speagle activity.