Speagle Malware Targets Cobra DocGuard
Cybersecurity researchers have identified a new malware called Speagle, which exploits the legitimate document security and encryption platform Cobra DocGuard. This malicious software is designed to steal sensitive information from infected computers by leveraging compromised Cobra DocGuard servers.
Background on Cobra DocGuard
Cobra DocGuard is developed by EsafeNet and serves as a tool for protecting documents through security and encryption measures. However, the platform has been abused in real-world attacks twice to date:
- In January 2023, ESET documented an intrusion where a Hong Kong gambling company was compromised via a malicious update pushed by Cobra DocGuard.
- Later that year, Symantec highlighted Carderbee, a new threat cluster using a trojanized version of Cobra DocGuard to deploy PlugX, targeting multiple organizations in Hong Kong and other Asian countries.
The Mechanics of Speagle Malware
Speagle malware specifically targets systems with Cobra DocGuard installed. It uses the legitimate Cobra DocGuard server for command-and-control (C2) operations and data exfiltration, making its activities appear as normal communications between client and server.
Data Exfiltration Process
Once launched, Speagle first checks the installation folder of Cobra DocGuard before harvesting and transmitting sensitive information from infected machines. This includes:
- System details
- Files in specific folders such as web browser history and autofill data
Additional Functionality
A variant of Speagle has been discovered to include additional features, allowing it to turn on/off certain types of data collection and search for files related to Chinese ballistic missiles like Dongfeng-27.
Implications and Analysis
The developers of Speagle likely chose Cobra DocGuard due to its perceived vulnerability and high rate of use among targeted organizations. This indicates a deliberate targeting possibly aimed at facilitating intelligence collection or industrial espionage.
Conclusion
Speagle is a sophisticated malware that cleverly uses legitimate software infrastructure to mask malicious activities, highlighting the importance of robust security measures for supply chain attacks and compromised servers.
元記事: https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html