Speagle malware abusing Cobra DocGuard infrastructure
Malware Activity
Summary
Hide ▲
Show ▼
The Speagle malware is now being used to harvest sensitive information from infected systems and hide exfiltration inside Cobra DocGuard traffic, increasing the risk of stealthy data theft. The activity matters because it relies on a compromised server and a legitimate security platform to mask command-and-control and data removal.
Related Happenings
Trigona ransomware uploader_client.exe exfiltration activity
Malware Activity
First: 23.04.2026 21:59
Last: 23.04.2026 21:59
Sources 1
About this happening:
Trigona ransomware is now using **uploader_client.exe** to steal data from compromised environments faster, making exfiltration more efficient and harder to spot. The tool was see...
Trigona ransomware uploader_client.exe exfiltration activity
Malware ActivityAbout this happening: Trigona ransomware is now using **uploader_client.exe** to steal data from compromised environments faster, making exfiltration more efficient and harder to spot. The tool was see...
PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities
Malware Activity
First: 20.02.2026 00:36
Last: 20.02.2026 00:36
Sources 1
About this happening:
The **PromptSpy** Android malware family now stands out as the first known **Android malware** to use **Google Gemini** at runtime, letting it adapt app-pinning steps across devic...
PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities
Malware ActivityAbout this happening: The **PromptSpy** Android malware family now stands out as the first known **Android malware** to use **Google Gemini** at runtime, letting it adapt app-pinning steps across devic...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware Activity
First: 22.01.2026 20:00
Last: 22.01.2026 20:00
Sources 1
About this happening:
Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware ActivityAbout this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Timeline
-
19.03.2026 21:16 2 articles · 2mo ago
Speagle malware abuses Cobra DocGuard infrastructure
Initial DisclosureResearchers described Speagle, a new parasitic malware, as targeting systems with Cobra DocGuard installed and using a compromised Cobra DocGuard server for command-and-control and data exfiltration while masking traffic as legitimate client-server communications. The malware is tracked as Runningcrab, remains unattributed, may have been delivered through a supply-chain route, and one variant can invoke a Cobra DocGuard-associated driver to delete itself and search for files related to Chinese ballistic missiles like Dongfeng-27 (aka DF-27).
Show sources
- Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16
- Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16