New Malware Targets Users of Cobra DocGuard Software

Symantec/Carbon Black discovered Infostealer.Speagle, a 32-bit .NET infostealer that parasitically leverages the legitimate Cobra DocGuard client and a compromised Cobra server to collect and exfiltrate sensitive files (including searches for Chinese ballistic missile–related documents). The report describes multi-phase collection (WMI, filesystem, browser artifacts), AES-128/CBC encrypted exfiltration over HTTP to hardcoded Cobra-server URLs, self-deletion using a Cobra driver, multiple sample hashes and C2 IPs, and assesses a likely high-target espionage motive with possible supply-chain delivery and attribution to a named actor, Runningcrab.