Infostealer Surge: Speagle, NKAbuse, and CGrabber Targeting Enterprise Credentials

Threat Summary

Recent OTX pulses indicate a coordinated surge in credential theft and infostealer activity leveraging diverse vectors including supply chain compromise, fake software distribution, and CVE exploitation. Key campaigns include Runningcrab's use of Infostealer.Speagle to hijack Cobra DocGuard software for stealthy data exfiltration, and a NKAbuse botnet campaign exploiting CVE-2026-39987 in the marimo platform to establish C2 via the NKN blockchain. Additionally, widespread distribution of NWHStealer via fake Proton VPN sites and Direct-Sys Loader via GitHub DLL sideloading highlights a broad focus on harvesting credentials and cryptocurrency data across Windows and macOS environments.

Threat Actor / Malware Profile

Infostealer.Speagle (Actor: Runningcrab)

Distribution: Targets systems running legitimate Cobra DocGuard software.
Behavior: Hijacks DocGuard functionality to exfiltrate sensitive data to a compromised server (CDGServer3/CDGClientDiagnostics), masking traffic as legitimate software updates.
C2: Uses HTTP over ports 8090/8091 to specific IP addresses.

NKAbuse & kagent

Distribution: Exploits CVE-2026-39987 (RCE) in marimo Python notebooks; payloads hosted on typosquatted HuggingFace Spaces.
Behavior: Delivers a undocumented malware variant utilizing the NKN blockchain for decentralized command and control.
Persistence: Established via malicious Python notebook execution.

NWHStealer

Distribution: Fake VPN download sites (e.g., get-proton-vpn.com), hardware utilities, and gaming mods.
Behavior: Harvests browser data, saved passwords, and cryptocurrency wallets.

Direct-Sys Loader & CGrabber Stealer

Distribution: ZIP archives via GitHub attachment URLs.
Behavior: Five-stage chain using DLL sideloading via a legitimate Microsoft-signed binary (Launcher_x64.exe). Uses ChaCha20 encryption and direct syscalls for evasion (anti-analysis).

notnullOSX (Actor: alh1mik)

Distribution: ClickFix social engineering and malicious DMGs.
Behavior: Go-written modular stealer targeting macOS users with >$10k crypto holdings.

IOC Analysis

The provided indicators span multiple categories requiring immediate triage:

File Hashes: A mix of MD5, SHA1, and SHA256 hashes for payloads like Speagle, NKAbuse, and CGrabber. These should be blocked in EDR solutions and scanned in historical logs.
Network Indicators: Specific IPv4 addresses (e.g., 83.217.209.88, 185.225.17.176) and typosquatted domains (e.g., get-proton-vpn.com, coockie.pro). These require immediate firewall and DNS sinkhole blocking.
URLs: Specific paths used for C2 communication, particularly the Speagle pattern http://[IP]:8090/CDGServer3/CDGClientDiagnostics.

Operational Guidance: SOC teams should prioritize the Speagle C2 URLs and NKAbuse IPs as they indicate active, established infrastructure. EDR correlation should look for the signed binary Launcher_x64.exe spawning unsigned processes.

Detection Engineering

YAML

title: Speagle Infostealer C2 Communication Pattern
id: 6f8a9d1b-2c4e-4a1f-9e5b-3c7d8e9f0a1b
description: Detects network connections to Infostealer.Speagle C2 servers hijacking Cobra DocGuard software paths.
status: experimental
date: 2026/04/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort|startswith: '809'
        InitiatingProcessName|contains: 'DocGuard'
        DestinationHostname|contains: 'CDGClientDiagnostics'
    condition: selection
falsepositives:
    - Legitimate Cobra DocGuard update checks (verify destination IP reputation)
level: high
---
title: Fake Proton VPN Site Access
id: 7a9b0e2c-3d5f-4b2a-0f6c-4d8e9f0a1b2c
description: Detects DNS queries or connections to known typosquatted domains distributing NWHStealer.
status: experimental
date: 2026/04/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.social_engineering
logsource:
    category: dns
    product: windows
detection:
    selection_domains:
        QueryName|contains:
            - 'get-proton-vpn.com'
            - 'vpn-proton-setup.com'
            - 'newworld-helloworld.icu'
    condition: selection_domains
falsepositives:
    - Unknown
level: critical
---
title: Potential Direct-Sys Loader DLL Sideloading
id: 8b0c1f3d-4e6a-5c3b-1g7d-5e9f0a1b2c3d
description: Detects suspicious child processes spawned by Launcher_x64.exe, indicative of DLL sideloading used by Direct-Sys Loader.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.hijack_execution_flow
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\\Launcher_x64.exe'
        IntegrityLevel: 'System' or 'High'
    selection_suspicious:
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\rundll32.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the Launcher tool (rare)
level: high


kql// KQL for Sentinel - Hunt for Speagle and NKAbuse Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "CDGClientDiagnostics" or RemoteIP in ("111.90.145.139", "160.30.128.96", "185.225.17.176", "38.147.173.172", "83.217.209.88", "222.222.254.165", "60.30.147.18")
| extend ThreatContext = case(
    RemoteUrl has "CDGClientDiagnostics", "Speagle C2",
    RemoteIP == "83.217.209.88", "notnullOSX C2",
    "NKAbuse Botnet"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, ThreatContext


powershell# PowerShell Hunt Script - Check for NWHStealer and Speagle File Hashes

$targetHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b", # Speagle
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877", # Speagle
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3", # NWHStealer
    "e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3", # NWHStealer
    "5cb3b902ae5993ae4e502f1c29cfb4e0", # NWHStealer MD5
    "50fcf93b14a6898347d1ca2c43e1b180"  # CGrabber MD5
)

Write-Host "[+] Hunting for Infostealer IOCs..."

# Get file hashes from C:\ and common user paths
$paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Hunt complete."

Response Priorities

Immediate: Block all IOCs listed in the analysis section at the firewall and proxy level. specifically sinkhole get-proton-vpn.com, vpn-proton-setup.com, and the CDGServer3 C2 IPs.
24 Hours: Initiate a credential audit for users who may have accessed the fake VPN sites or downloaded gaming mods. Force password resets and rotate API keys for developers using marimo notebooks or exposed to the HuggingFace Spaces.
1 Week: Review software supply chain security. Identify systems running Cobra DocGuard and inspect for the Speagle hijack. Implement strict allow-listing for Python notebook execution and GitHub repository access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub