Hackers Use Fake Cisco AnyConnect and Google Update Installers to Drop SharkLoader
Security researchers have uncovered a campaign called StrikeShark that uses a custom malware loader named SharkLoader to deploy Cobalt Strike Beacon on compromised Windows systems.
The campaign uses two main entry paths. Attackers exploit known vulnerabilities in internet-facing enterprise software and also distribute fake installers that pretend to be trusted tools such as Cisco AnyConnect and Google Update.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Kaspersky Securelist said SharkLoader was first identified during research into activity affecting a diplomatic organization in Indonesia, before related infections appeared in several other countries and sectors.
What Is SharkLoader?
SharkLoader is a custom loader built to run Cobalt Strike Beacon on infected machines. Cobalt Strike is a legitimate red-team framework, but attackers frequently abuse cracked or unauthorized versions for post-compromise activity.
In the StrikeShark campaign, SharkLoader works through multiple components that decrypt, load, and execute the final implant in memory. This makes the malware harder to detect with tools that rely mainly on files written to disk.
The Hacker News reported that the campaign has affected government organizations, diplomatic entities, software development companies, and other targets across multiple regions.
| Campaign Element | Reported Detail | Defensive Impact |
|---|---|---|
| Campaign name | StrikeShark | Tracks a cluster using SharkLoader and Cobalt Strike. |
| Malware | SharkLoader | Loads Cobalt Strike Beacon on compromised hosts. |
| Lures | Fake Cisco AnyConnect and Google Update installers | Abuses user trust in familiar software names. |
| Technique | DLL side-loading with SystemSettings.exe and SystemSettings.dll | Uses a legitimate Windows binary to launch malicious code. |
| Targets | Government, diplomatic, and software development organizations | Suggests both strategic and opportunistic targeting. |
Fake Installers Help the Malware Look Legitimate
The campaignโs social engineering relies on trusted software names. Some droppers use filenames such as GoogleUpdateStepup.exe, AutoUpdate.exe, and AnyConnect-win-4.10.04071-predeploy-k9exe.
In one analyzed case, the dropper contained a real Cisco AnyConnect VPN installer. The legitimate installer ran normally while SharkLoader components were silently placed in other directories in the background.
Cyber Security News noted that this creates a convincing illusion for victims because the visible installation appears to complete as expected.
Attackers Also Exploit Known Enterprise Vulnerabilities
StrikeShark does not depend only on fake installers. Researchers also observed attackers exploiting known vulnerabilities in internet-facing applications and network appliances.
Kaspersky listed activity involving Microsoft Exchange, Microsoft SharePoint, Openfire, GeoServer, Fortinet FortiOS, Cisco IOS XE Web UI, F5 BIG-IP, Zimbra, Hikvision products, Apache Shiro, and React Server Components.
This pattern shows why old vulnerabilities remain dangerous. Once a public proof-of-concept exploit exists, attackers can use it against unpatched systems without building new exploit chains from scratch.
SharkLoader Uses DLL Side-Loading
One of the most important techniques in the campaign is DLL side-loading. Attackers abuse the legitimate Windows application SystemSettings.exe to load a malicious DLL named SystemSettings.dll.
The visible executable is a real Windows component, which can make the activity look more normal to security tools and administrators. The malicious logic sits in the DLL loaded beside it.
The Microsoft DLL best practices guidance warns developers about loader behavior, DllMain limitations, and unsafe actions that can create reliability and security risks in DLL loading paths.
Memory Execution Makes Detection Harder
SharkLoader is designed to reduce the number of obvious malware files left behind. It decrypts embedded components and loads them into memory before executing the Cobalt Strike Beacon.
The loader also uses API hooking and other evasion behavior to interfere with visibility. Researchers observed attempts to affect Event Tracing for Windows logging and alter how child processes appear.
Kasperskyโs analysis says the malware hooks several Windows APIs and uses direct system calls for some actions, helping it bypass tools that monitor higher-level API activity.
What Happens After Initial Compromise
After gaining access, the attackers perform reconnaissance and credential theft. Observed activity includes system information collection, network discovery, Active Directory enumeration, and credential dumping.
Researchers also saw attempts to dump LSASS memory and extract the NTDS database. These steps can help attackers obtain credentials and move deeper into a Windows domain.
According to The Hacker News, the observed victimology suggests a broad geographic reach rather than a campaign focused on one country or one industry.
Victims and Possible Motivation
Confirmed activity includes a diplomatic entity in Indonesia, government-related entities in Taiwan, and software development companies in Taiwan, Lebanon, and Syria.
Researchers also identified affected organizations in Hong Kong, Colombia, North Macedonia, Nepal, Serbia, and other locations. This mix suggests both targeted and opportunistic behavior.
The targeting of government and software development organizations may point to espionage or intellectual property collection, but researchers have not confirmed the campaignโs final objective.
Attribution Remains Unclear
Kaspersky tracks the cluster as StrikeShark but has not linked it directly to a known APT or cybercrime group. The company said it found no clear code reuse, infrastructure overlap, or operational similarity to an established actor.
Some open-source post-compromise tools used in the campaign are associated with Chinese-speaking developers, but that does not prove direct attribution to a known China-linked group.
For defenders, that uncertainty matters less than the technique. The campaign shows how a loader, fake installers, old vulnerabilities, and Cobalt Strike can combine into a serious enterprise intrusion chain.
Indicators Organizations Should Watch
Security teams should treat the following names and behaviors as starting points for investigation. They should also hunt for related process chains, persistence mechanisms, and outbound Cobalt Strike traffic.
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186 | Sample associated with fake installer delivery activity. |
| Filename | SystemSettings.exe | Legitimate Windows binary abused for DLL side-loading. |
| Filename | SystemSettings.dll | Malicious DLL loaded through the side-loading chain. |
| Filename | GoogleUpdateStepup.exe | Fake Google Update-themed dropper name observed in reporting. |
| Filename | AnyConnect-win-4.10.04071-predeploy-k9exe | Fake Cisco AnyConnect-themed dropper name observed in reporting. |
Defensive Steps for Security Teams
Organizations should prioritize patching internet-facing applications and network appliances because the attackers rely heavily on known, publicly documented vulnerabilities.
- Patch Microsoft Exchange, SharePoint, Fortinet, Cisco IOS XE, Openfire, GeoServer, F5 BIG-IP, Zimbra, and other exposed systems.
- Restrict public access to administrative consoles and legacy management interfaces.
- Hunt for SystemSettings.exe running outside its normal Windows directory.
- Search for unexpected SystemSettings.dll files near copied Windows binaries.
- Review scheduled tasks and registry Run keys created around suspicious activity.
- Monitor for Cobalt Strike Beacon traffic and abnormal parent-child process relationships.
- Check whether users executed fake installers or update-themed files from untrusted locations.
Why File Reputation Alone Is Not Enough
SharkLoader shows why security teams cannot rely only on whether a visible executable is signed or familiar. A legitimate file can still become part of a malicious loading chain.
The Microsoft documentation explains that DLL initialization happens under loader-lock constraints, which is why unusual DLL loading behavior deserves careful review during incident response.
Cyber Security News also highlighted the campaignโs combination of fake installers, known vulnerability exploitation, memory execution, and DLL side-loading as the key reason defenders need behavioral monitoring.
The Bigger Lesson From StrikeShark
StrikeShark blends familiar attacker tactics into one campaign. It uses old vulnerabilities, trusted software lures, DLL side-loading, in-memory execution, persistence, reconnaissance, and Cobalt Strike.
That combination makes the campaign relevant to any organization with internet-facing systems or users who install software updates outside managed channels.
The strongest defense is layered. Teams need fast patching, restricted admin exposure, endpoint detection, process-chain monitoring, credential protection, user training, and clear rules for installing software in enterprise environments.
FAQ
SharkLoader is a custom malware loader used in the StrikeShark campaign to deploy Cobalt Strike Beacon on compromised Windows systems. It uses techniques such as DLL side-loading and in-memory execution to reduce detection.
Attackers disguise droppers as trusted installers or updates. In one case, a real Cisco AnyConnect installer ran normally while SharkLoader components were silently dropped in the background.
StrikeShark is the tracking name used by Kaspersky for a campaign involving SharkLoader and Cobalt Strike. It has affected government, diplomatic, software development, and other organizations in multiple countries.
Researchers observed exploitation of known vulnerabilities affecting Microsoft Exchange, Microsoft SharePoint, Openfire, GeoServer, Fortinet FortiOS, Cisco IOS XE Web UI, F5 BIG-IP, Zimbra, Apache Shiro, Hikvision products, and React Server Components.
Organizations should monitor for SystemSettings.exe running from unusual directories, suspicious SystemSettings.dll files, fake installer names, Cobalt Strike traffic, abnormal scheduled tasks, registry Run keys, and signs of DLL side-loading or in-memory execution.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages