Speagle malware leverages compromised Cobra DocGuard servers and infrastructure to exfiltrate sensitive data

Timeline

1. 19.03.2026 21:16 1 articles · 4h ago

   Speagle malware campaign leverages compromised Cobra DocGuard servers for data exfiltration

   A newly identified malware family, Speagle, has been observed hijacking the Cobra DocGuard document security platform to exfiltrate sensitive data from infected systems. The malware abuses Cobra DocGuard’s client-server architecture and compromised servers to blend malicious communications with legitimate traffic. Speagle specifically targets systems with Cobra DocGuard installed, indicating deliberate victim selection and potentially aligning with intelligence collection or industrial espionage. Operational activity is tracked under Runningcrab, with attribution currently unattributed. Initial evidence suggests a supply chain attack as the likely delivery vector.

   Show sources

   • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

   Open in new tab

Information Snippets

• Speagle malware targets only systems with the Cobra DocGuard document security software installed, indicating deliberate victim selection.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• The malware exfiltrates data via compromised Cobra DocGuard servers, disguising malicious traffic as legitimate client-server communications.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• Speagle invokes a Cobra DocGuard-associated driver to enable self-deletion from compromised hosts after data collection.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• The malware harvests system information and files, including browser history and autofill data, in phased data collection stages.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• A Speagle variant includes functionality to toggle data collection modes and specifically searches for files related to Chinese ballistic missile systems (e.g., Dongfeng-27).

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• Prior documented abuses of Cobra DocGuard include a 2022 Hong Kong gambling company intrusion via malicious update and a 2023 campaign (Carderbee) using a trojanized version to deploy PlugX malware.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• Speagle’s operational activity is tracked under the moniker Runningcrab; attribution remains unattributed, with hypotheses suggesting state-sponsored or contractor-driven operations.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16

• Initial suspicion points to a supply chain compromise as the likely delivery vector for Speagle, mirroring previous incidents involving Cobra DocGuard.

  First reported: 19.03.2026 21:16
  1 source, 1 article
  Show sources

  • Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers — thehackernews.com — 19.03.2026 21:16