New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
7 min. read 
Published on
A newly discovered malware loader called SharkLoader is being used to deploy Cobalt Strike Beacon in a global cyberattack campaign tracked as StrikeShark.
The campaign has targeted diplomatic, government, software development, and other organizations across Asia, Europe, Latin America, and the Middle East. According to a Kaspersky Securelist report, the activity began with an investigation into a diplomatic organization in Indonesia and later expanded to other victims.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Kaspersky says SharkLoader works as a loader for Cobalt Strike, a legitimate red team tool that attackers frequently misuse for command and control, reconnaissance, lateral movement, and follow-on operations.
What Is StrikeShark?
StrikeShark is the name Kaspersky uses for the campaign involving SharkLoader. The company has not tied the operation to any known APT or cybercrime group at this stage.
The victim list includes a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies in several countries, and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
The Kaspersky announcement describes the campaign as broad in geography and target type, rather than focused on one country or one industry.
How SharkLoader Gets Into Networks
Kaspersky observed two main infection paths. In some cases, attackers exploited known vulnerabilities in public-facing servers. In others, they used malicious droppers disguised as legitimate software installers.
In the Indonesian diplomatic case, attackers exploited Microsoft Exchange flaws, including CVE-2021-26855, also known as ProxyLogon. In Taiwan, software development organizations were compromised through Openfire using CVE-2023-32315. In Colombia, one organization was targeted through a GeoServer instance vulnerable to CVE-2024-36401.
The attackers also used droppers that looked like Google Update or Cisco AnyConnect installers. Some samples showed decoy PDF documents to make victims more likely to run the malicious files.
Key Details About the Campaign
| Category | Details |
|---|---|
| Campaign name | StrikeShark |
| Main malware | SharkLoader |
| Final payload | Cobalt Strike Beacon |
| Targeted sectors | Diplomatic, government, software development, and other organizations |
| Targeted regions | Asia, Europe, Latin America, and the Middle East |
| Attribution | No confirmed link to a known APT group |
The campaign also involved exploitation attempts against other enterprise and network products. Kaspersky listed flaws affecting Apache Shiro, Hikvision products, Microsoft SharePoint, Zimbra Collaboration Suite, Microsoft Exchange Server, F5 BIG-IP, Fortinet FortiOS, React Server Components, and Cisco IOS XE Web UI.
Kaspersky assesses with medium confidence that the attackers likely rely on publicly available proof-of-concept exploit code. This suggests the group may scan for exposed systems and exploit whatever vulnerable services it finds.
That opportunistic approach increases risk for organizations that leave old vulnerabilities unpatched on internet-facing systems. Even older flaws can remain useful to attackers when servers stay exposed.
How SharkLoader Runs Cobalt Strike
After gaining access, the attackers deploy web shells and use a DLL side-loading chain. One observed chain abused the legitimate Windows application SystemSettings.exe to load the malicious SharkLoader DLL named SystemSettings.dll.
SharkLoader then decrypts and loads DscCoreR.mui, which contains an embedded Cobalt Strike Beacon and other components used to support execution. The malware creates a suspended thread, prepares the payload in memory, then resumes the thread to run the beacon.
The loader also uses API hooking to make detection harder. Kaspersky’s technical analysis says SharkLoader uses Microsoft Detours and MinHook to hook Windows APIs, including VirtualAlloc and Sleep.
Why the Malware Is Harder to Detect
SharkLoader uses several methods that can complicate detection. It loads components in memory, uses DLL side-loading, and relies on hooks that can change memory protection behavior while the beacon sleeps.
- It abuses legitimate Windows applications to load malicious DLLs.
- It decrypts embedded components before execution.
- It runs Cobalt Strike Beacon in memory.
- It hooks API calls linked to process creation, memory allocation, and sleep behavior.
- It can support stealthier command execution through Cobalt Strike.
These choices help the attackers reduce obvious disk artifacts and make some memory scanning methods less effective. The campaign also shows that attackers still rely on known tools when those tools remain effective.
The Beacon payload gives operators a powerful post-exploitation framework after SharkLoader completes its job. That can support reconnaissance, lateral movement, command execution, and possible data theft later in the intrusion.
Post-Compromise Activity
Kaspersky observed extensive reconnaissance after the attackers gained access. The activity included Active Directory enumeration, network discovery, process checks, directory listing, and credential-focused activity.
The attackers also used open-source post-compromise tools such as FScan, Searchall, Pillager, and SharpGPOAbuse. Some of these tools are associated with Chinese-speaking developers, but Kaspersky says that evidence is not enough to make firm attribution.
Credential theft attempts targeted the LSASS process and the NTDS database. Those actions can help attackers steal passwords or password hashes, escalate privileges, and move deeper into a Windows domain.
Vulnerabilities Used in Observed Attacks
| Product or platform | Vulnerability | Observed role |
|---|---|---|
| Microsoft Exchange Server | ProxyLogon entry, CVE-2021-26855 | Initial access against the Indonesian diplomatic entity |
| Openfire | Openfire vulnerability record, CVE-2023-32315 | Initial access against Taiwanese software development organizations |
| GeoServer | GeoServer advisory record, CVE-2024-36401 | Initial access against a Colombian organization |
| Microsoft SharePoint | CVE-2021-27076 | Used in activity involving the SystemSettings.exe side-loading chain |
| Fortinet FortiOS and Cisco IOS XE | Authentication bypass vulnerabilities | Listed among flaws targeted in broader activity |
The campaign shows why defenders cannot rely only on blocking malware hashes. StrikeShark combines public exploit code, web shells, malicious installers, legitimate Windows binaries, and Cobalt Strike.
That mix allows the attackers to change parts of the intrusion chain while keeping the same general workflow. They can exploit a server, deploy SharkLoader, establish Cobalt Strike access, then use normal administrative commands to move around.
The Kaspersky press statement also stresses regular patching, endpoint detection, and staff awareness as important defenses against this type of campaign.
What Security Teams Should Do Now
Organizations should review exposed Microsoft Exchange, SharePoint, Openfire, GeoServer, Fortinet, F5, Zimbra, Hikvision, Apache Shiro, and Cisco IOS XE systems for known vulnerabilities and suspicious activity.
- Patch public-facing applications and network appliances as a priority.
- Search for unusual web shells on exposed servers.
- Review scheduled tasks and Registry Run keys for suspicious persistence.
- Investigate unexpected SystemSettings.exe copies outside normal Windows paths.
- Monitor for suspicious DLL side-loading activity.
- Watch for unusual outbound traffic linked to Cobalt Strike command-and-control behavior.
- Review LSASS access, NTDS database access, and unusual Active Directory enumeration.
- Hunt for renamed installers pretending to be Google Update or Cisco AnyConnect.
Defenders should treat this as both an exploitation and post-compromise problem. Patching stops many entry points, but it does not remove persistence if attackers already deployed web shells or created scheduled tasks.
The safest response is to combine patch management with threat hunting. Systems exposed to the internet deserve special attention because StrikeShark appears to rely heavily on known flaws and publicly available exploit code.
FAQ
SharkLoader is a newly documented malware loader used in the StrikeShark campaign. Its main role is to load and execute Cobalt Strike Beacon on compromised Windows systems.
StrikeShark is a cyberattack campaign tracked by Kaspersky. It has targeted diplomatic, government, software development, and other organizations across several regions.
Kaspersky has not linked StrikeShark to a known APT group. It assesses with low confidence that the operator may be Chinese-speaking, mainly because of the open-source tools used in the campaign.
Observed infections used exploited public-facing vulnerabilities, web shells, DLL side-loading, and malicious droppers disguised as legitimate software installers such as Google Update or Cisco AnyConnect.
Organizations should patch exposed systems, hunt for web shells, inspect scheduled tasks and Registry Run keys, monitor for DLL side-loading, and investigate suspicious Cobalt Strike-like network activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages