Speagle, NWHStealer & Direct-Sys Loader: Multi-Platform Infostealer & Supply Chain Attack Analysis

The latest OTX pulse data reveals a coordinated surge in infostealer activity targeting both enterprise and consumer environments. Adversaries are leveraging sophisticated supply chain compromises—specifically targeting Cobra DocGuard users with the Infostealer.Speagle malware—alongside broad, commodity campaigns distributing NWHStealer via fake VPN sites and the Direct-Sys Loader via GitHub repositories.

Collectively, these campaigns aim to harvest sensitive credentials, browser data, and cryptocurrency wallet keys. The threat actors involved, including Runningcrab and alh1mik, demonstrate a high degree of operational security, utilizing direct syscall execution (Direct-Sys), DLL sideloading, and novel C2 channels such as the NKN blockchain (NKAbuse). The focus on high-value targets—users with >$10k in crypto (notnullOSX) and defense/technology sectors—signals a financially motivated shift towards precision extortion and asset theft.

Threat Actor / Malware Profile

Infostealer.Speagle (Runningcrab)

• Distribution: Supply chain attack compromising legitimate Cobra DocGuard security software updates.
• Behavior: Hijacks DocGuard functionality to exfiltrate sensitive system data to a compromised command-and-control (C2) server. The traffic is disguised as legitimate diagnostic communications.
• C2 Communication: HTTP POST requests to specific paths on compromised DocGuard infrastructure (e.g., /CDGServer3/CDGClientDiagnostics).
• Evasion: Masquerades as trusted security software traffic to bypass network inspection.

NWHStealer

• Distribution: Typosquatted domains (e.g., get-proton-vpn.com), fake hardware utilities, and gaming mods hosted on file-sharing platforms.
• Behavior: Harvests browser data, saved passwords, and cryptocurrency wallet information.
• Persistence: Standard persistence mechanisms often found in Windows-based stealers (e.g., registry run keys).

notnullOSX (alh1mik)

• Distribution: "ClickFix" social engineering campaigns and malicious DMG files.
• Targeting: Specifically targets macOS users holding >$10,000 in cryptocurrency.
• Behavior: Modular Go-written stealer designed to bypass macOS security controls and extract wallet keys.

Direct-Sys Loader & CGrabber Stealer

• Distribution: ZIP archives distributed via GitHub user attachment URLs.
• Behavior: Five-stage malware chain. Exploits a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading.
• Techniques: Uses ChaCha20 encryption, direct syscall execution to evade EDR hooks, and multiple anti-analysis checks.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors, requiring a multi-layered defensive approach:

• File Hashes: A large volume of SHA256, MD5, and SHA1 hashes are provided for the payloads (Speagle, NWHStealer, notnullOSX). SOC teams should immediately block these hashes on endpoints and quarantine any existing files.
• Domains & URLs: Typosquatted domains (e.g., coockie.pro, vpn-proton-setup.com) and specific C2 URLs (e.g., http://222.222.254.165:8090/CDGServer3/...) are critical for DNS sinkholing and web proxy blocking.
• Network Infrastructure: IP addresses associated with C2 nodes (e.g., 83.217.209.88) and the NKAbuse botnet should be blocked at the perimeter.
• CVEs: While CVE-2026-39987 is listed in the context of the marimo/NKAbuse campaign, prioritizing patching for RCE vulnerabilities in developer tools is essential.

Operationalize these IOCs by loading them into your SIEM for correlation, EDR for isolation, and Firewalls/Proxies for network denial.

Detection Engineering

Sigma Rules

---
title: Potential Speagle Infostealer C2 Communication
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects network connections to specific C2 paths associated with Infostealer.Speagle targeting Cobra DocGuard.
status: experimental
references:
    - https://www.security.com/blog-post/speagle-cobradocguard-infostealer
author: Security Arsenal
date: 2026/04/18
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 8090
            - 8091
        InitiatingProcessImage|contains: 'DocGuard'
    filter_c2:
        DestinationHostname|contains:
            - '222.222.254.165'
            - '60.30.147.18'
    condition: selection and filter_c2
falsepositives:
    - Legitimate Cobra DocGuard traffic to authorized servers
level: high
---
title: Suspicious DLL Sideloading via Launcher_x64.exe
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
description: Detects DLL sideloading activity associated with Direct-Sys Loader exploiting Launcher_x64.exe.
status: experimental
references:
    - https://www.cyderes.com/howler-cell/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain
author: Security Arsenal
date: 2026/04/18
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '.dll'
        TargetImage|endswith: '\\Launcher_x64.exe'
        Signed: 'false'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: NWHStealer Fake VPN Installer Process Creation
id: c3d4e5f6-7890-12bc-def0-3456789012cd
description: Detects processes spawned from known NWHStealer distribution domains or suspicious installation paths.
status: experimental
references:
    - https://securityboulevard.com/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere/
author: Security Arsenal
date: 2026/04/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentCommandLine|contains:
            - 'get-proton-vpn.com'
            - 'vpn-proton-setup.com'
            - 'newworld-helloworld.icu'
    condition: selection
falsepositives:
    - Legitimate VPN software installation
level: medium

KQL (Microsoft Sentinel)

// Hunt for NWHStealer and Direct-Sys Loader Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("get-proton-vpn.com", "vpn-proton-setup.com", "sinixproduction.com", "evasivestars.com", "attackzombie.com")
   or RemoteIP in ("111.90.145.139", "160.30.128.96", "83.217.209.88", "185.225.17.176")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend ThreatIntel = "OTX Pulse Match"

PowerShell Hunt Script

# IOC Hunt for Speagle Hashes and Suspicious Domains
$SpeagleHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d"
)

Write-Host "[+] Scanning for Speagle Infostealer File Hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Length -gt 0kb -and 
        ($SpeagleHashes -contains $(Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash) 
    } | 
    Select-Object FullName, LastWriteTime

Write-Host "[+] Checking DNS Cache for NWHStealer Domains..."
$Domains = @("get-proton-vpn.com", "coockie.pro", "sinixproduction.com")
Get-DnsClientCache | Where-Object { $Domains -contains $_.Entry } | Select-Object Entry, Data

Response Priorities

• Immediate: Block all listed IP addresses and domains at the firewall and proxy. Isolate endpoints matching the provided file hashes (SHA256/MD5) in EDR solutions. Kill processes communicating on ports 8090/8091 unrelated to legitimate business needs.
• 24h: Initiate credential resets for users potentially impacted by NWHStealer or Speagle, focusing on those with access to sensitive systems or cryptocurrency wallets. Investigate Cobra DocGuard installations for process anomalies.
• 1 week: Review software supply chain integrity, specifically for Cobra DocGuard and unofficial downloads hosted on GitHub. Implement application control policies to block unsigned binaries and DLL sideloading attempts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub