SPEAGLE , a newly identified malware, hijacks Cobra DocGuard’s functionality and infrastructure to secretly harvest sensitive data from infected hosts and send it to a Cobra DocGuard server that has been compromised by the attackers. According to Symantec and Carbon Black, the exfiltration is masked as legitimate client–server communications, with Speagle focusing on systems where Cobra DocGuard data protection software is installed.
The malware’s operations include using a driver associated with Cobra DocGuard to delete itself from the host after launching, and it has been observed harvesting system details as well as data from folders containing browser history and autofill data. Researchers note that one variant can toggle data collection on and off and can search for files related to Chinese ballistic missiles, such as the Dongfeng-27.
Attribution remains unattributed to date, but Broadcom’s threat-hunting teams describe Speagle as potentially the work of a state-sponsored actor or a private contractor for hire, with activity tracked under the Runningcrab moniker.