[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-cl4520CXF_NyBzciBFovXPiS35DBy3TbpDa1QVhmJ4":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"71a96ef9-0878-40a0-abcd-a475a62cc27a","StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader","strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkl-8e0acd","Kaspersky researchers analyze a new global campaign dubbed StrikeShark that delivers Cobalt Strike Beacon via custom SharkLoader malware.","Kaspersky researchers have identified a new global campaign named StrikeShark, which deploys Cobalt Strike Beacon using a custom malware called SharkLoader. The campaign targets diplomatic organizations, government entities, and software development companies across various countries, including Indonesia, Taiwan, and Colombia. Initial access is gained through exploitation of vulnerabilities in internet-facing applications like Microsoft Exchange, Openfire Server, and GeoServer, as well as via dropper-based delivery.","New StrikeShark campaign uses SharkLoader to deliver Cobalt Strike via exploited internet-facing apps.","Table of Contents IntroductionInitial infectionExploitation of public-facing applicationsDropper-based distributionSharkLoader installationSharkLoader DLL – Main implant“PerfectDLL Hijacking” techniqueDecryption and loading of >DscCoreR.muiDscCoreR.mui and SyncRes.dat DLLsDecryption and loading of SyncRes.datSyncRes.dat decrypted DLL: Multiple API hooksVEH registration and access violation handlingThread creation for Cobalt Strike Beacon executionMinHook DLL, API hooking, and Cobalt Strike beaconPersistence mechanismPost-compromise activityVictimologyAttributionConclusionIndicators of compromise Authors Fareed Radzi Introduction During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms. Beyond the diplomatic entity in Indonesia, we identified related activity targeting government organizations in Taiwan, software development companies across multiple countries, and entities in other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and more. The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region. For now, we are tracking this activity as StrikeShark. Although the operators utilize several open-source post-compromise tools associated with Chinese-speaking developers, we have not identified direct code reuse, infrastructure overlap, or operational similarity to confidently attribute the activity to any known APT or cybercrime group. As a result, attribution remains preliminary and the campaign’s ultimate objectives are still under research. Initial infection Our analysis of SharkLoader intrusions indicates that the threat actor employs multiple methods to gain initial access to victim environments. During our investigation, we observed two primary infection vectors: the exploitation of vulnerabilities in internet-facing applications and the deployment of custom dropper samples, some of which were disguised as legitimate software. Exploitation of public-facing applications In the incident affecting an Indonesian diplomatic entity, the threat actor exploited Microsoft Exchange vulnerabilities, including CVE-2021-26855 (ProxyLogon), to gain access to the target environment. Similar activity was observed in Taiwan, where software development organizations were compromised through exploitation of Openfire (CVE-2023-32315). In a separate incident affecting a Colombian organization, the threat actor exploited a GeoServer instance vulnerable to CVE-2024-36401. Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Apache Shiro: CVE-2016-4437 Hikvision Products: CVE-2021-36260 Microsoft SharePoint: CVE-2021-27076 Zimbra Collaboration Suite: CVE-2022-27925 Microsoft Exchange Server: CVE-2022-41082 F5 BIG-IP system: CVE-2023-46747 Fortinet FortiOS: CVE-2024-21762 React Server Components: CVE-2025-55182 Authentication Bypass Fortinet FortiOS: CVE-2022-40684 Cisco IOS XE Web UI: CVE-2023-20198 As of the time of writing this article, we haven’t obtained the exploits the attackers used. However, based on the vulnerabilities observed across multiple attacks, we assess with medium confidence that the threat actor primarily relies on publicly available proof-of-concept (PoC) exploits to gain initial access. All the vulnerabilities identified during our investigation have publicly available exploit code, including PoCs hosted on GitHub and other open-source platforms, suggesting the actor leverages existing offensive resources rather than develops custom exploit capabilities. The victim profile also indicates that the activity is largely opportunistic, affecting organizations across various industries, regions, and technology environments without a clear focus on a specific target set. Also, one of the IP addresses associated with the C2 domain was also observed conducting internet-wide scanning activity, potentially aimed at identifying and exploiting vulnerable internet-facing systems at scale. Following exploitation, the attacker established persistence on compromised servers through the deployment of webshells. Although we were unable to recover the webshell files, a series of commands whose execution we observed in our telemetry along with the detection records of webshells strongly indicate their use for post-exploitation activities. One of the earliest observed actions involved copying the legitimate Windows application SystemSettings.exe to a new location before executing it. cd C:\\Windows\\ImmersiveControlPanel\\ copy SystemSettings.exe C:\\ProgramData\\ cd C:\\ProgramData\\ SystemSettings.exe 1234 cd C:\\Windows\\ImmersiveControlPanel\\copy SystemSettings.exe C:\\ProgramData\\cd C:\\ProgramData\\SystemSettings.exe This application was later abused as part of a DLL sideloading chain used to launch SharkLoader, which in this scenario was hidden in the malicious SystemSettings.dll library. We suspect that this DLL along with malicious encrypted files, which we’ll describe further, was uploaded through the webshell to the same directory as SystemSettings.exe. In another case involving the exploitation of CVE-2021-27076, the threat actor launched SystemSettings.exe triggering the subsequent SharkLoader sideloading chain from different directories on the system, which suggests renewed operational activity in the victim environment. In some of the cases, they used security product vendor names as the directory names, allegedly to appear legitimate. cd C:\\ProgramData\\KasperskyLab\\ dir .\\SystemSettings.exe cd %APPDATA% dir cd kasperskylab dir .\\SystemSettings.exe 12345678 cd C:\\ProgramData\\KasperskyLab\\dir.\\SystemSettings.execd %APPDATA%dircd kasperskylabdir.\\SystemSettings.exe Dropper-based distribution In several observed cases, the threat actor distributed SharkLoader through custom dropper executables masquerading as legitimate software installers or applications such as Google Update and Cisco AnyConnect. However, the exact delivery mechanism used to distribute these droppers remains unknown. The observed dropper filenames include: GoogleUpdateStepup.exe AnyConnect-win-4.10.04071-predeploy-k9exe AutoUpdate.exe 319-pfd-8001-reva_traitement biologique_master.zip In one of the samples we analyzed, the threat actor used a legitimate Cisco AnyConnect VPN installer as a lure. The custom dropper extracted zlib-compressed data embedded within its resource section, decompressed it into an MSI package, and wrote the file to %APPDATA%\\reports\\AnyConnect-win-4.msi. The MSI package was a legitimate Cisco AnyConnect VPN installer, which was subsequently executed via the ShellExecuteW API, making the user believe the custom dropper was a legitimate application. While the Cisco AnyConnect installer was decompressed and executed, SharkLoader components were silently dropped into directories in %APPDATA% different from %APPDATA%\\reports\\ in the background, executing the malware loader once the installation process completes. Malicious Cisco Secure Client installer In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file. However, not all samples employ this technique, a","https:\u002F\u002Fsecurelist.com\u002Fstrikeshark-campaign\u002F120326\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F06\u002F24085803\u002FSL-StrikeShark-featured-scaled.jpg","2026-06-24T10:00:03+00:00","2026-06-24T12:00:18.463885+00:00",8,[18,21,23,25],{"name":19,"type":20},"Microsoft Exchange","product",{"name":22,"type":20},"Microsoft SharePoint",{"name":24,"type":20},"Openfire Server",{"name":26,"type":20},"GeoServer","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":27,"icon":29,"name":30,"slug":31},null,"Malware","malware",[33,38,43,45],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":44},{"id":27,"icon":29,"name":30,"slug":31},{"category":46},{"id":47,"icon":29,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51,55,58,61,64,67,70,73,76,79,82,85,88],{"type":52,"value":53,"context":54},"cve","CVE-2021-26855","Microsoft Exchange vulnerability exploited for initial access",{"type":52,"value":56,"context":57},"CVE-2023-32315","Openfire Server vulnerability exploited for initial access",{"type":52,"value":59,"context":60},"CVE-2024-36401","GeoServer vulnerability exploited for initial access",{"type":52,"value":62,"context":63},"CVE-2016-4437","Apache Shiro RCE vulnerability",{"type":52,"value":65,"context":66},"CVE-2021-36260","Hikvision Products RCE vulnerability",{"type":52,"value":68,"context":69},"CVE-2021-27076","Microsoft SharePoint RCE vulnerability",{"type":52,"value":71,"context":72},"CVE-2022-27925","Zimbra Collaboration Suite RCE vulnerability",{"type":52,"value":74,"context":75},"CVE-2022-41082","Microsoft Exchange Server RCE vulnerability",{"type":52,"value":77,"context":78},"CVE-2023-46747","F5 BIG-IP system RCE vulnerability",{"type":52,"value":80,"context":81},"CVE-2024-21762","Fortinet FortiOS RCE vulnerability",{"type":52,"value":83,"context":84},"CVE-2025-55182","React Server Components RCE vulnerability",{"type":52,"value":86,"context":87},"CVE-2022-40684","Fortinet FortiOS Authentication Bypass vulnerability",{"type":52,"value":89,"context":90},"CVE-2023-20198","Cisco IOS XE Web UI Authentication Bypass vulnerability"]