Runningcrab Supply Chain & LeakNet Ransomware: Speagle Infostealer, Deno Loaders & Telegram C2 Analysis

Threat Summary

Recent OTX pulses indicate a surge in diverse cyber-espionage and ransomware activities utilizing advanced evasion techniques. Three distinct threats have been identified:

Runningcrab (Supply Chain Attack): A sophisticated campaign targeting the Defense and Technology sectors in China and Hong Kong. The actor Runningcrab has compromised the update mechanism of Cobra DocGuard, a legitimate security application, to distribute the Infostealer.Speagle and RATs like PlugX and Korplug. Data exfiltration is masked as legitimate software diagnostic traffic.
LeakNet (Ransomware-as-a-Service Evolution): The LeakNet ransomware operator has shifted from buying initial access to running its own campaigns utilizing ClickFix social engineering lures. They have deployed a new Deno-based in-memory loader to evade detection, followed by jli.dll side-loading and PsExec for lateral movement.
Hydra Saiga (State-Sponsored Espionage): A suspected Kazakhstani threat actor targeting critical infrastructure (Energy, Water, Government) across Central Asia, Europe, and the Middle East. Hydra Saiga employs custom implants (JLORAT, Telemiris) and abuses the Telegram Bot API for Command & Control (C2), blending malicious traffic with legitimate messaging app usage.

Threat Actor / Malware Profile

Runningcrab / Infostealer.Speagle

Distribution Method: Supply chain compromise via hijacked Cobra DocGuard software updates.
Payload Behavior: Steals sensitive system information and credentials.
C2 Communication: Transmits stolen data to compromised Cobra DocGuard servers (http://<IP>:8090/CDGServer3/...). The path CDGClientDiagnostics?flag=syn_user_policy mimics legitimate software telemetry.
Persistence: Established through the inherent auto-start functionality of the compromised security software.
Anti-Analysis: Masquerades C2 traffic as trusted security software communications to bypass network inspection.

LeakNet

Distribution Method: "ClickFix" fake browser error pages prompting users to run malicious PowerShell/Bash scripts, often via compromised sites.
Payload Behavior: In-memory execution of ransomware payload using Deno runtime.
C2 Communication: Uses compromised domains and S3 buckets for payload staging and C2.
Persistence: DLL side-loading (specifically jli.dll) to maintain access.
Anti-Analysis: In-memory execution (fileless malware) via Deno complicates disk-based forensics.

Hydra Saiga / JLORAT

Distribution Method: Phishing campaigns tailored to geopolitical interests of Kazakhstan.
Payload Behavior: Custom backdoors (JLORAT, Telemiris) focused on espionage and data collection.
C2 Communication: Leverages Telegram Bot API (api.telegram.org) for stealthy communication.
Persistence: Uses "Living off the Land" (LotL) techniques and likely scheduled tasks or registry run keys.
Anti-Analysis: Use of legitimate cloud infrastructure (Telegram) makes network blocking difficult without broad service disruption.

IOC Analysis

The provided IOCs include:

File Hashes (SHA256): Specific to the Runningcrab campaign (Speagle/Droppers). These should be used for EDR quarantine and historical hunting.
URLs: Specific HTTP paths on IP addresses (port 8090/8091) indicative of the Speagle C2 protocol.
Domains: A list of domains associated with LeakNet's ClickFix infrastructure and Hydra Saiga's C2.

SOC Operationalization:

Firewall/Proxy: Block all listed domains and the specific IP:Port combinations immediately.
EDR: Hunt for the SHA256 hashes. Configure detections for processes connecting to non-standard ports (8090/8091) with the specific URI path structure.
SIEM: Correlate process creation events with network connections to api.telegram.org from non-interactive processes to hunt for Hydra Saiga.

Detection Engineering

Sigma Rules

YAML

title: Potential Infostealer.Speagle C2 Traffic
id: 4e2b3f2c-5a6b-4c7d-8e9f-1a2b3c4d5e6f
description: Detects network connections indicative of Speagle infostealer C2 communication mimicking Cobra DocGuard diagnostics.
status: experimental
date: 2026/04/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61843a2f8a0c1c0f3c4d5e6f
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
detection:
    selection:
        DestinationPort|startswith: '809'
        init: '|'
        DestinationHostname|contains:
            - 'CDGServer3'
        RequestURI|contains:
            - 'CDGClientDiagnostics'
            - 'syn_user_policy'
    condition: selection
falsepositives:
    - Legitimate Cobra DocGuard traffic (verify destination IP is not in threat intel)
level: high
---
title: Suspicious Telegram API Usage by Non-Browser Process
id: 5f3c4g2h-6b7c-8d9e-0f1a-2b3c4d5e6f7a
description: Detects potential Hydra Saiga C2 activity using Telegram Bot API from unusual processes.
status: experimental
date: 2026/04/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61843a2f8a0c1c0f3c4d5e6f
tags:
    - attack.command_and_control
    - detection.defense_evasion
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    filter_legitimate:
        Image|endswith:
            - '\telegram.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
    condition: selection and not filter_legitimate
falsepositives:
    - Third-party messaging clients or automation tools legitimately using Telegram API
level: medium
---
title: LeakNet Deno In-Memory Loader Execution
id: 6g4d5h3i-7c8d-9e0f-1a2b-3c4d5e6f7a8b
description: Detects the execution of Deno runtime which may be used by LeakNet for in-memory payload loading.
status: experimental
date: 2026/04/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/61843a2f8a0c1c0f3c4d5e6f
tags:
    - attack.execution
    - attack.defense_evasion
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith: '\deno.exe'
        CommandLine|contains:
            - 'eval'
            - 'run'
            - 'fetch'
    condition: selection
falsepositives:
    - Legitimate developer usage of Deno JavaScript runtime
level: low

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for Speagle C2 and LeakNet ClickFix Domains
let IOCs = dynamic([
    "okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com", 
    "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com",
    "allcloudindex.com", "docworldme.com", "pweobmxdlboi.com", "wincorpupdates.com"
]);
// Network Events for Domains
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteUrl contains "CDGClientDiagnostics"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = iff(RemoteUrl in (IOCs), "Domain", "Speagle Path")
| order by Timestamp desc
;
// Process Creation for Deno (LeakNet)
DeviceProcessEvents
| where FileName =~ "deno.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
;
// File Creation for Speagle Hashes
DeviceFileEvents
| where SHA256 in (
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

# IOC Hunt for Speagle Hashes and Suspicious Network Connections
# Requires Admin Privileges

$speagleHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d",
    "fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890"
)

$suspiciousDomains = @(
    "okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com",
    "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com",
    "allcloudindex.com", "docworldme.com", "pweobmxdlboi.com", "wincorpupdates.com"
)

Write-Host "[+] Checking for Speagle Malware File Hashes..." -ForegroundColor Cyan
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($drive in $drives) {
    Write-Host "Scanning $drive..."
    Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10mb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($speagleHashes -contains $hash) {
            Write-Host "[!] MALWARE DETECTED: $($_.FullName) (Hash: $hash)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for Active Network Connections to Suspicious Domains..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection | Where-Object { $_.State -eq 'ESTABLISHED' }
foreach ($conn in $connections) {
    try {
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction Stop
        $remoteIP = $conn.RemoteAddress
        $dnsEntry = Resolve-DnsName -Name $remoteIP -ErrorAction SilentlyContinue | 
                    Where-Object { $_.Type -eq 'A' } | 
                    Select-Object -ExpandProperty NameHost -ErrorAction SilentlyContinue
        
        if ($dnsEntry) {
            foreach ($domain in $suspiciousDomains) {
                if ($dnsEntry -like "*$domain*") {
                    Write-Host "[!] SUSPICIOUS CONNECTION: Process $($process.ProcessName) PID $($conn.OwningProcess) connected to $dnsEntry ($remoteIP)" -ForegroundColor Red
                }
            }
        }
    } catch {
        # Ignore errors accessing system processes
    }
}

Write-Host "[+] Checking for Deno Runtime (LeakNet Loader)..." -ForegroundColor Cyan
$denoProcess = Get-Process -Name "deno" -ErrorAction SilentlyContinue
if ($denoProcess) {
    Write-Host "[!] DENO PROCESS DETECTED: $($denoProcess.Path) PID $($denoProcess.Id)" -ForegroundColor Yellow
    Write-Host "    Verify if this is a legitimate developer tool." -ForegroundColor Gray
}

Response Priorities

Immediate:
- Block all IP addresses and domains listed in the IOC Analysis section at the perimeter firewall and proxy servers.
- Scan endpoints for the specified SHA256 hashes associated with Infostealer.Speagle.
- Isolate any endpoints showing process execution of deno.exe or connections to the identified C2 infrastructure.
24 Hours:
- Conduct credential audits and resets for users on machines where Cobra DocGuard is installed or where Speagle indicators were found, due to the infostealer capability.
- Review logs for evidence of jli.dll side-loading or PsExec execution related to LeakNet lateral movement.
1 Week:
- Verify the integrity of the Cobra DocGuard software supply chain and update to a vendor-confirmed clean version.
- Implement network segmentation to restrict access to api.telegram.org and other non-essential cloud services from critical servers.
- Enhance user awareness training regarding "ClickFix" social engineering techniques (fake browser update scams).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub