New Malware Targets Users of Cobra DocGuard Software dlvr.it/TS9jp8 #cyber #threathunting #infosec

Hello everyone I am back again with DocGuard , this time it’s a pwa with a lot more functionality and robustness, Do check it out : doc-guard-taupe.vercel.app/

文書暗号化ソフト「Cobra DocGuard」のインフラに寄生し、正規のクライアント・サーバー間通信に紛れてデータを持ち出す情報窃取マルウェア「Speagle」が報告されています。 Cobra DocGuardは過去にもCarderbeeなどのAPTグループにサプライチェーン攻撃の踏み台として悪用された経緯がありますが、Speagleの手口はさらに踏み込んでいます。 攻撃者はCobra DocGuardの正規サーバー自体を侵害し、マルウェアが盗んだデータをそのサーバーに送信させることで、窃取トラフィックを正規の業務通信と見分けがつかない状態にしています。 ネットワーク監視で異常な外部通信を探す従来の検知アプローチでは見落とされる可能性が高く、厄介な手口です。 亜種の一つには「東風27号」「極超音速」「弾頭」といった中国の弾道ミサイル関連のキーワードで文書を検索する機能が確認されており、国家レベルの諜報活動が疑われています。 【要点】 ・SpeagleはSymantecとCarbon Blackの研究チームが発見した新しいインフォスティーラー。背後の脅威アクターはRunningcrabとして追跡されているが、既知のグループとの関連は未確認 ・Cobra DocGuardがインストールされた環境でのみ動作する設計。感染端末のWindowsユーザー名やホスト名に加え、Cobra DocGuard固有のクライアントIDを収集して標的を識別する ・情報収集は3フェーズに分かれ、各フェーズの完了時点でデータを窃取サーバーへ送信する。途中で検知・停止されても、それまでに集めたデータは攻撃者の手に渡る設計 ・第1フェーズで端末の識別情報、第2フェーズでWMIクエリによるシステム構成の詳細マッピングとファイル一覧、第3フェーズでブラウザの閲覧履歴・自動入力データ・ブックマーク等を収集 ・窃取データはXMLにシリアライズ・圧縮後、AES-128で暗号化してHTTP POSTで送信。送信先は攻撃者が侵害した正規のCobra DocGuardサーバー ・感染経路は未特定だが、マルウェアの自己削除処理にCobra DocGuardの正規ドライバを利用している点などから、トロイの木馬化されたソフトウェアアップデートによる配布が仮説として挙がっている。ただし確度は低いとされる ・自己削除には、実行中の実行ファイルを削除できるNTFS代替データストリームのリネーム手法も併用 同じソフトウェアが2022年、2023年に続いて三度目の悪用対象となっている点も見逃せません。 正規インフラへの寄生によって通信の異常検知が困難になる手口は、文書保護ソフトに限らず他の業務ソフトウェアにも応用可能な構造的リスクといえます。 security.com/threat-intellig…

Researchers reveal Infostealer.Speagle, a "parasitic" malware hijacking Cobra DocGuard infrastructure to mask the theft of sensitive ballistic missile data #SpeagleMalware #CobraDocGuard #CyberEspionage #Infosec #SupplyChainAttack #Runningcrab #DataBreach securityonline.info/infostea…

『Notably, Speagle appears to be capable of collecting information on highly targeted subjects, such as specifically seeking out documents related to Chinese ballistic missiles.』🤔 New Malware Targets Users of Cobra DocGuard Software security.com/threat-intellig…

Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers thehackernews.com/2026/03/sp…

A new malware campaign targets Cobra DocGuard users, parasitically exploiting its functions to hunt for documents related to ballistic missiles. security.com/threat-intellig…

Speagle malware is abusing a legitimate tool called Cobra DocGuard to steal data without raising alarms Instead of sending stolen data to a sketchy attacker server, it: 👉 Routes exfiltration through a trusted DocGuard server 👉 Makes the traffic look completely normal 👉 Blends into legitimate enterprise communication Most security systems rely heavily on: * Suspicious domains * Unknown IPs * Weird traffic patterns But here > The malware is hiding inside trusted infrastructure So from a SOC perspective, it looks like: Oh, it’s just DocGuard doing its job Meanwhile, data is quietly leaving the environment. This malware only executes if Cobra DocGuard is installed. Basically this is not mass malware but Targeted espionage Attackers already: * Know the victim uses DocGuard * Tailor the payload specifically for that environment classic APT-style behavior Once active, they can: * Exfiltrate sensitive documents * Leak internal communications * Bypass traditional DLP/network monitoring And because it uses a legitimate channel: * It avoids signature-based detection * It evades many SIEM alerts This fits into a growing pattern: 👉 Living off trusted services Instead of building their own infrastructure, attackers abuse: * Enterprise tools * Cloud platforms * Security software itself We’ve seen similar behavior with: * Slack / Teams abuse * OneDrive / Google Drive exfiltration * Email gateways

Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers thehackernews.com/2026/03/sp…

Speagle malware is abusing Cobra DocGuard to quietly steal data. It sends exfiltration through a legitimate DocGuard server, blending into normal traffic and avoiding detection. It only runs on systems with DocGuard installed, signaling targeted espionage activity. 🔗 How it hides, steals, and wipes traces → thehackernews.com/2026/03/sp…

Symantec Enterprise Blogs | New Malware Targets Users of Cobra DocGuard Software security.com/threat-intellig…

🚨#Malicious #CHM File Evaded All AV Solutions🚨 📌VT Detections 0/64 📁Filename: CV - 585126.chm 🔐MD5: 0d0ef17e86a2bcfb97763c54731179a5 DOCGuard Report: app.docguard.io/c3ac20f94e0c…

Code intelligence handles one side, what the code does. But there's also the question of whether the docs actually match. DocGuard (github.com/raccioly/docguard) does for documentation what GitNexus does for code structure. Automated validation, drift detection, and AI-driven repair. Zero dependencies, plugs into the spec-kit ecosystem. GitNexus tells your AI what depends on what. DocGuard tells it what the code is supposed to do. Complementary layers.

Dropping a CLAUDE.md at root is step 1. Step 2 is making sure it doesn't go stale 3 days later. DocGuard does both and generates AGENTS.md from code, then validates it stays in sync. 51 checks, zero deps. github.com/raccioly/docguard @bcherny @AnthropicAI

Hot take: Your AI coding agent has no idea what your project actually does. AGENTS.md doesn't help if the docs underneath are garbage. DocGuard enforces Canonical-Driven Development: → Generate docs from code → Validate them on every commit → Score your "doc tax" Like ESLint, but for your documentation. github.com/raccioly/docguard #DevTools #AIAgents #CDD

Can you really trust the documents you receive? Invoice fraud and fake bank details are increasing every year. DocGuard uses AI to analyze documents and detect fraud in seconds. Try it free — 3 scans included. docguard.fr #ai #startup #cybersecurity #TechNews

🧠 Reverse Engineering / Debugging: - PeStudio → winitor dot com - CFF Explorer → ntcore dot com - DocGuard → docguard dot io - File Scan → virscan dot org

As the creator of DocGuard I can validate that kumkum bhagya was an appropriate response

🚨#Phishing #Pdf File Evaded All The AV Solutions 🚨 📌VT 0/61 📂Filename: Ziraat.pdf 🔐MD5: 4105ec3dc57e1dc3929ec0be0054aad5 🕵️IoCs: download1586.mediafire.com/z… DOCGuard Analysis: app.docguard.io/d87819102369…

🚨 #Phishing PDF File Evaded All The AV Solutions🚨 ⚠️ #FakeMicrosoftLoginPanel ⚠️ 📌 VT Detection: 0 / 65 📁 Filename: Dussmann Kalte- und Klimatechnik GmbH Zahlung.pdf 🔐 MD5: ecae32462944be54e54e01d2c978c82d 🕵️‍♂️ IOCs: - (DOMAIN) dussmann-kalte-und-klimatechnik-gmbh[.]moll-de[.]com DOCGuard Report: app.docguard.io/c029927c004a…