On March 19, 2026, researchers from Symantec and Carbon Black — both part of Broadcom — published a threat intelligence report disclosing a novel malware family tracked as Infostealer.Speagle. The threat is notable not only for what it steals, but for how it steals it: by turning a legitimate document security platform into both a cover story and a getaway vehicle. The actor responsible has been assigned the tracking name Runningcrab and remains, as of publication, unlinked to any previously known threat group.
The targeted software is Cobra DocGuard, a document protection and encryption client developed by EsafeNet, a Chinese company owned by cybersecurity firm NSFOCUS. Cobra DocGuard is used in enterprise environments — particularly across Asia — to manage the encryption, decryption, and access control of sensitive documents. It is precisely because organizations trust this software and its network communications that Speagle is able to operate so quietly.
A Platform Abused Three Times Over
To understand the significance of the Speagle disclosure, it helps to understand that Cobra DocGuard has now been weaponized in three documented campaigns — a pattern that raises serious questions about the software's security posture and its attractiveness as a persistent attack vector.
The first documented incident occurred in September 2022, when ESET researchers — as published in their T3 2022 APT Activity Report — detailed how a gambling company in Hong Kong was compromised through a malicious update pushed by the Cobra DocGuard client. That attack was attributed to APT27 (also tracked as LuckyMouse, Budworm, or Emissary Panda), a prolific China-aligned threat actor known for cyber espionage. The same company had previously been compromised by the same technique in September 2021, suggesting a sustained targeting relationship.
"The malicious software was delivered to the following location on infected computers, which is what indicates that a supply chain attack or malicious configuration involving Cobra DocGuard is how the attackers compromised affected computers." — Symantec Threat Hunter Team, August 2023
The second campaign was disclosed by Symantec in August 2023, when the Threat Hunter Team identified a previously unknown APT group — which they named Carderbee — using Cobra DocGuard to deliver the Korplug backdoor (also known as PlugX) to organizations in Hong Kong and elsewhere in Asia. That campaign, which began in April 2023, observed malicious activity on roughly 100 of the approximately 2,000 machines where Cobra DocGuard was installed — indicating careful, selective targeting rather than indiscriminate deployment. In a detail that underscored the sophistication of the operation, the downloader used in the Carderbee campaign carried a digitally signed certificate from Microsoft, specifically from the Windows Hardware Compatibility Publisher program, making it significantly harder for endpoint detection tools to flag as malicious.
PlugX (Korplug) is a modular remote access trojan widely shared among China-linked threat actors, including APT41, BlackFly, MustangPanda, and Budworm. Its presence in an attack does not by itself establish attribution — it functions more like a shared toolkit than a signature. Symantec acknowledged this explicitly when naming Carderbee as a new cluster rather than attributing it to a known group.
The third campaign — the subject of the March 2026 report — introduces Speagle, a malware family that takes a fundamentally different architectural approach. Where Carderbee used Cobra DocGuard as a delivery mechanism, Speagle uses it as a disguise. It wraps its communications inside the legitimate client-server protocol, exfiltrates data to a compromised Cobra DocGuard server, and uses the platform's own kernel driver to delete itself when done.
How Speagle Works: A Technical Review
Speagle is a 32-bit .NET executable. Upon execution, its first task is to confirm that Cobra DocGuard is actually installed on the target machine. It does this by querying the Windows registry for the installation path, checking two possible registry keys and falling back to a hardcoded default path if both are absent. If Cobra DocGuard is not present, the malware proceeds directly to self-deletion rather than continuing execution. This single design decision tells analysts something important: Speagle was built for a specific pool of targets, not for broad deployment.
Registry checks performed on launch:
HKLM\SOFTWARE\WOW6432Node\Esafenet\CDG System\"InstallDir"
HKLM\SOFTWARE\Esafenet\CDG System\"InstallDir"
Fallback: C:\Program Files\EsafeNet\Cobra DocGuard Client\Once the installation path is confirmed, Speagle proceeds to collect and exfiltrate data in a series of discrete phases. Crucially, it attempts to transmit the data gathered in each phase before moving to the next — a design choice that ensures at least partial exfiltration even if the malware is interrupted mid-execution.
Phase One: Identity and Fingerprinting
In its first phase, Speagle builds what it internally calls an "ErrorReport" structure — a naming choice that itself functions as camouflage, making the data appear to be diagnostic telemetry. This structure captures the Windows username, the hostname of the infected machine, and two identifiers pulled directly from Cobra DocGuard's own configuration files: a client ID from UniqueClientCode.ini and an installation identifier from PackageInfo.ini. If the client ID field is empty — indicating the software may not be fully configured — Speagle abandons its mission and self-deletes immediately.
Phase Two: Deep System Reconnaissance
The second phase is significantly more invasive. Speagle executes a comprehensive set of WMI queries to enumerate the machine's environment, covering running processes, installed services, network configuration, scheduled tasks, firewall rules, active TCP connections, printer configurations, and more. It also walks the directory tree of all attached disks — local, removable, and network — up to two levels deep, recording file names and sizes. It separately indexes the user's Documents, Downloads, Desktop, and AppData directories to a depth of five levels, building a detailed map of what is stored where.
Phase Three: Browser Data Extraction
In its third phase, Speagle targets browser data. It searches the AppData directories of all user accounts on the machine for folders containing files named "History" alongside either "Web Data" or "Login Data" — a pattern consistent with Chromium-based browsers including Chrome, Edge, and Brave. For each matching browser profile, it creates temporary copies of the SQLite databases and queries them directly, extracting browsing history URLs and titles, autofill values (including names, addresses, and form-field data), download history, omnibox shortcuts, and bookmarks.
Browser autofill data can include names, physical addresses, phone numbers, email addresses, and in some cases partial payment card data stored in the browser's form-fill cache. Combined with browsing history and download records, this gives an operator a detailed picture of a target's professional activity, communication patterns, and the documents they have recently accessed or transferred.
Exfiltration: Hiding in Plain Sight
The exfiltration mechanism is where Speagle's design is most deliberately deceptive. After serializing the collected data as XML, it compresses it using the Deflate algorithm and then encrypts it with AES-128 in CBC mode, deriving the encryption key from the SHA256 hash of a hardcoded string. The resulting ciphertext is hexlified and transmitted over HTTP to what appears to be a legitimate Cobra DocGuard server — specifically, one belonging to the targeted organization that has itself been compromised by Runningcrab. The POST request is sent to a URL matching the format of a real Cobra DocGuard diagnostics endpoint, and the custom HTTP headers it uses — including X-Request-Name, X-Request-ID, and X-Request-No — mirror the kind of client telemetry a legitimate installation might generate.
"Speagle is a novel, parasitic threat that cleverly makes use of Cobra DocGuard's client to mask its malicious activity and its infrastructure to hide exfiltration traffic." — Symantec and Carbon Black researchers, Security.com, March 19, 2026
This design means that a network defender monitoring outbound traffic from an endpoint running Cobra DocGuard would see what looks like routine client-server communication to a known server. Without inspecting the payload itself — which is encrypted — the traffic would not raise an alert.
Self-Deletion via a Legitimate Driver
After completing its exfiltration phases, Speagle invokes a legitimate kernel driver associated with Cobra DocGuard to delete its own executable from disk. Security software like Cobra DocGuard often includes anti-tamper drivers that operate at the kernel level, giving them elevated privileges to prevent unauthorized process termination. Speagle repurposes this capability to clean up its own traces, leaving no artifact that would directly implicate the malware. Symantec researchers note that this behavior is one of the low-confidence indicators pointing toward a possible supply chain delivery mechanism — a trojanized software update would naturally have access to the same driver, with no suspicious privilege escalation required.
The Missile-Hunting Variant
One identified variant of Speagle (SHA256: dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d) includes additional collection capabilities not present in the baseline version, including the ability to selectively enable or disable specific data collection modules. But its most striking feature is a dedicated search routine that looks specifically for files related to the Dongfeng-27 (DF-27) ballistic missile — a Chinese hypersonic glide vehicle that has drawn significant attention from defense analysts and foreign intelligence services.
The Dongfeng-27, also tracked as the CSS-X-24, is a long-range missile believed to carry both conventional and nuclear payloads at hypersonic speeds, giving it the capacity to strike targets across the Indo-Pacific and potentially beyond. Documents referencing the DF-27 would be of high value to any foreign intelligence service attempting to understand the capabilities, deployment status, or technical specifications of China's strategic arsenal — or, from another angle, to a Chinese actor attempting to identify who inside an organization is in possession of such materials.
The presence of ballistic missile-related keyword searches in Speagle's code is a significant intelligence indicator. It is atypical for financially motivated threat actors. It strongly suggests either a state-sponsored operator seeking classified or sensitive defense information, or a private contractor working on behalf of a government client. Symantec researchers explicitly named both hypotheses in their published report.
The specific keywords embedded in this variant, when translated from Chinese, reference the DF-27 by name along with related terminology. This narrows the plausible purpose of the campaign considerably. Whether the goal is to identify who within a targeted organization has access to missile-related materials, to locate and exfiltrate those materials directly, or simply to map the professional network of individuals working in proximity to sensitive defense subjects — each scenario reflects an intelligence-collection objective rather than a financial one.
Attribution: The Runningcrab Problem
Despite the sophistication of Speagle's design and the sensitivity of the intelligence it appears to seek, Symantec and Carbon Black have been unable to connect Runningcrab to any previously catalogued threat actor. This is not an uncommon outcome in the China-aligned threat ecosystem, where infrastructure, tools, and even malware code are frequently shared across groups — sometimes deliberately, sometimes through third-party access brokers or shared development resources.
The researchers have articulated two primary hypotheses. The first is that Runningcrab is a state-sponsored actor operating as part of a government intelligence program, most plausibly in the context of Chinese strategic interests given the software's origin, the geographic targeting, and the missile-related keyword searches. The second hypothesis is a private contractor working for hire — a model that has become increasingly prevalent in the threat landscape, where former government operators or commercially incorporated intelligence shops offer capabilities to state clients on a deniable basis.
Complicating attribution further is the fact that Cobra DocGuard's user base is concentrated in China and across Chinese-speaking markets in Asia. An attacker specifically choosing to target only machines with this software installed is either highly familiar with that market segment, or has been tasked with targeting a defined population of organizations that commonly use it. Either way, the geographic and organizational scope of the campaign appears deliberate and bounded rather than opportunistic.
The Broader Pattern: A Persistently Abused Platform
What makes the Speagle disclosure particularly significant is not just the malware itself, but the pattern it completes. Cobra DocGuard has now served as the attack surface for three distinct campaigns attributed to three separate actors or actor clusters — LuckyMouse/APT27 in 2021–2022, Carderbee in 2023, and now Runningcrab in the disclosure window leading to March 2026.
Each campaign has used the platform differently. The APT27 campaign exploited a malicious update to deliver PlugX to a single gambling company. Carderbee scaled this approach across multiple Hong Kong organizations, adding Microsoft-signed malware to its evasion toolkit. Runningcrab's approach via Speagle is architecturally more complex — using the platform's infrastructure rather than just its update mechanism, and designing the malware to self-destruct using the platform's own kernel driver.
This pattern suggests that Cobra DocGuard has become, in intelligence and criminal operator circles, a recognized and reliable attack surface. Whether that is due to inherent vulnerabilities in the software, weaknesses in EsafeNet's update signing infrastructure, or the predictability of its user base — or all three — is not yet publicly known. EsafeNet has not issued a public statement in response to the March 2026 disclosure as of this writing.
Speagle SHA256 hashes (from Symantec/Carbon Black report):
03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b
d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877
dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d (missile-hunting variant)
C2 endpoint observed:
hxxp://60.30.147[.]18:8091/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy
Key Takeaways
- Parasitic by design: Speagle does not attempt to operate independently. It is built to function only in the presence of Cobra DocGuard, using the platform's identifiers, server infrastructure, and kernel driver as operational components. This makes it uniquely difficult to detect without understanding the host software's normal behavior.
- Phased exfiltration as resilience: By transmitting collected data at the end of each collection phase rather than waiting until everything has been gathered, the malware ensures that even a partial execution yields actionable intelligence for the operator. This design pattern reflects professional operational planning.
- Missile keyword searches signal intelligence objectives: The presence of DF-27-related search strings in at least one variant places Speagle firmly in the category of targeted intelligence collection. Organizations in the defense, aerospace, or government contracting sectors that use Cobra DocGuard should treat this disclosure as directly relevant to their threat model.
- Cobra DocGuard is a repeated target: Three documented campaigns across four years make this platform a verified attack surface. Any organization running Cobra DocGuard in its environment should audit its deployment, monitor outbound traffic to CDG servers for anomalous payload sizes or patterns, and verify the integrity of installed binaries and drivers.
- Attribution gaps remain exploitable: Runningcrab's ability to operate unattributed — despite conducting targeted, sophisticated campaigns — reflects a broader intelligence challenge. The shared toolkit ecosystem across China-aligned actors deliberately complicates attribution, creating deniability that state sponsors have strong incentives to maintain.
The Speagle campaign is a reminder that sophisticated threat actors do not always need to compromise a target directly. When a trusted platform sits inside the perimeter — handling sensitive documents, running privileged processes, communicating regularly with external servers — it becomes an asset for an attacker who can compromise any piece of that ecosystem. Security monitoring that treats known software as inherently safe is precisely the assumption Speagle was designed to exploit.