Infostealer.Speagle is a sophisticated malware strain discovered by AlienVault that compromises the Cobra DocGuard security software to conduct covert data exfiltration. By hijacking Cobra DocGuard's legitimate functionality, Speagle masks its malicious communications as normal software traffic, making detection challenging. The malware operates in multiple phases: initially collecting system information and enumerating files, then harvesting browser data and searching specifically for documents related to Chinese ballistic missile programs, indicating a targeted espionage motive. The infection vector remains unclear, but evidence points to a possible supply chain compromise of Cobra DocGuard, a legitimate security product, which would allow the malware to infiltrate trusted environments. Speagle uses advanced evasion techniques such as self-deletion after task completion and disguising network traffic to evade endpoint detection and network monitoring. The malware communicates with compromised Cobra DocGuard servers hosted at IPs 60.30.147.18 and 222.222.254.165 over HTTP on non-standard ports, further blending in with legitimate traffic. The threat actor attributed to this campaign is Runningcrab, known for targeted espionage operations. Despite the lack of a CVE or public exploit, the malware's use of legitimate software channels and focus on sensitive military-related documents makes it a significant threat to organizations using Cobra DocGuard, especially those involved in defense or related sectors. The malware incorporates multiple MITRE ATT&CK techniques including data from local system discovery, credential access, data staging, and command and control communications, highlighting its complexity and stealth.

The primary impact of Infostealer.Speagle is the covert theft of sensitive information from targeted systems running Cobra DocGuard. Organizations in defense, government, and critical infrastructure sectors using this software risk exposure of confidential data, including documents related to Chinese ballistic missile programs, which could lead to significant intelligence compromise. The malware’s ability to mask exfiltration as legitimate software traffic complicates detection and response, increasing dwell time and potential data loss. The suspected supply chain attack vector undermines trust in a security product, potentially affecting all users of Cobra DocGuard globally. While the infection scope is limited to Cobra DocGuard users, the targeted nature and espionage focus elevate the risk for affected entities. The self-deleting behavior reduces forensic evidence, hindering incident investigation and attribution. The medium severity rating reflects a balance between targeted impact and limited widespread exploitation, but the strategic nature of stolen data could have geopolitical consequences. Organizations may face operational disruption, reputational damage, and regulatory consequences if sensitive data is leaked or misused.

Organizations should immediately audit their use of Cobra DocGuard software and verify the integrity of installed versions against trusted sources. Implement strict supply chain security measures including code signing verification and vendor communication to detect compromised updates. Network monitoring should be enhanced to detect anomalous HTTP traffic to known malicious IPs and URLs associated with Speagle, especially on non-standard ports. Endpoint detection and response (EDR) tools should be tuned to identify behaviors consistent with multi-phase data collection, file enumeration, and self-deletion. Employ threat hunting focused on the provided file hashes and IP indicators to identify potential infections. Restrict unnecessary outbound HTTP traffic and apply application whitelisting to prevent unauthorized execution of malware components. Regularly back up critical data and maintain incident response plans tailored to supply chain and stealthy malware scenarios. Engage with Cobra DocGuard vendor for patches or advisories and consider alternative security solutions if supply chain compromise is confirmed. User awareness training should emphasize risks of supply chain attacks and encourage reporting of unusual system behavior. Finally, collaborate with threat intelligence providers to stay updated on Runningcrab activities and emerging indicators.