New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Summary

A new malware family named SharkLoader has been identified, acting as a loader for Cobalt Strike Beacon in the StrikeShark campaign. This campaign has targeted diplomatic and government organizations across Indonesia, Taiwan, and other countries, as well as software development companies. The attackers are believed to be Chinese-speaking and are leveraging various known vulnerabilities for initial access, including ProxyLogon and ProxyNotShell.

Full text

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks Ravie LakshmananJun 26, 2026Malware / Windows Security A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. "The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region," the Russian cybersecurity vendor said. The campaign does not exhibit direct links to any known threat actor or group, although the operators have utilized several open-source post-compromise tools like FScan and Pillager, commonly put to use by Chinese-speaking developers. It's believed that the campaign is the handiwork of a Chinese-speaking threat actor. Attack chains involve the two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon), to strike the Indonesian diplomatic entity, or through a path traversal vulnerability impacting Openfire (CVE-2023-32315) in the case of Taiwanese software development organizations, or a critical remote code execution bug in GeoServer (CVE-2024-36401) to target a Colombian organization. Other remote code execution and authentication bypass vulnerabilities weaponized by the threat actor are listed below - Apache Shiro: CVE-2016-4437 Hikvision Products: CVE-2021-36260 Microsoft SharePoint: CVE-2021-27076 Zimbra Collaboration Suite: CVE-2022-27925 Microsoft Exchange Server: CVE-2022-41082 (aka ProxyNotShell) F5 BIG-IP: CVE-2023-46747 Fortinet FortiOS: CVE-2024-21762 React Server Components: CVE-2025-55182 Fortinet FortiOS: CVE-2022-40684 Cisco IOS XE Web UI: CVE-2023-20198 It's assessed that the threat actors are likely employing publicly available proof-of-concept (PoC) exploits hosted on GitHub or other open-source platforms to gain initial access in an opportunistic manner. Upon gaining a foothold, the threat actors establish persistence by deploying web shells to trigger a DLL side-loading chain involving "SystemSettings.exe" (CVE-2021-27076) to deliver SharkLoader ("SystemSettings.dll"). A second method used by StrikeShark to distribute the loader is via custom dropper executables masquerading as legitimate software installers or applications like Google Update and Cisco AnyConnect, and executing the malware loader once the installation process completes. The method by which these droppers are delivered is currently unknown. "In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file," Kaspersky explained. "However, not all samples employ this technique, as some droppers function solely as a delivery mechanism for SharkLoader without presenting any lure content." Once the DLL is loaded, SharkLoader implements what's called Perfect DLL Hijacking, a technique detailed by security researcher Elliot Killick in October 2023, to execute malicious code while bypassing Windows Loader Lock, a system-wide lock held by the operating system when loading and unloading DLLs. Specifically, it's engineered to decrypt and load "DscCoreR.mui," which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state, along with two other components - SyncRes.dat, which installs multiple Windows API hooks by using the Microsoft Detours library to monitor exceptions generated during runtime. MinHook DLL, which installs API hooks for the VirtualAlloc and Sleep functions to copy the decompressed Cobalt Strike Beacon into the allocated memory region using VirtualAlloc. The Sleep-related hook is triggered when the Beacon calls Sleep, likely in an attempt to evade memory scanning techniques that identify executable (RWX) code regions in memory. "Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon," Kaspersky explained. While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe" either when a user logs in, or even if no user is logged in. The attacks also involve an extensive reconnaissance phase following initial compromise and persistence, with the threat actor engaging in Active Directory enumeration, credential theft by targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information gathering tools like FScan, Searchall, and Pillager. Given the absence of active data exfiltration, it's unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber espionage bent with a potential interest in hoovering political intelligence or intellectual property. "At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems," Kaspersky said. "The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cobalt Strike, cyber espionage, Kaspersky, Malware, Software Development, Vulnerability, Windows Security ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• cve — CVE-2021-26855
• cve — CVE-2023-32315
• cve — CVE-2024-36401
• cve — CVE-2016-4437
• cve — CVE-2021-36260
• cve — CVE-2021-27076
• cve — CVE-2022-27925
• cve — CVE-2022-41082
• cve — CVE-2023-46747
• cve — CVE-2024-21762
• cve — CVE-2025-55182
• cve — CVE-2022-40684
• cve — CVE-2023-20198

Entities