The Parasite in the Machine: Unmasking the Speagle Infostealer

What happens when attackers stop trying to evade your security tools — and start using them? On this Threat Tracer, we unpack Infostealer.Speagle: a newly identified parasite that piggybacks on Cobra DocGuard — a legitimate document-security platform from EsafeNet — to quietly map networks, harvest browser data, and chase documents tied to Chinese ballistic missile programs, including the Dongfeng-27. Tracked under the activity cluster Runningcrab, Speagle is the third major compromise involving Cobra DocGuard in recent years. It exfiltrates to compromised DocGuard servers so the traffic blends in with normal client sync. It uses the platform's own FileLock driver to bypass anti-tamper protections and delete itself. And one variant hunts for Chinese-language keywords like "hypersonic," "warhead," and "thermal protection system." What's in this episode: How Speagle hides inside Cobra DocGuard traffic on ports 8090/8091 The three-phase exfiltration: system fingerprint → WMI network mapping → browser and file harvesting The "missile module" and what its hardcoded keyword list reveals about targeting Why Runningcrab attribution is still an open question Defender checklist: registry keys to watch, User-Agent IOCs, and supply-chain inventory steps Trust is the new perimeter. When the tools you bought to protect data become the channel that leaks it, defense-in-depth has to be examined from the inside out. Subscribe for more in-depth intel, real talk, and the human factor in cybersecurity. ▶ More research: https://security.com ▶ Apple Podcasts: https://podcasts.apple.com/us/podcast... ▶ Spotify: https://open.spotify.com/show/1DRJdDs... #Cybersecurity #ThreatIntelligence #Infostealer #SupplyChainAttack #Symantec