"The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region," Kaspersky said.
Kaspersky on StrikeShark and the discovery of SharkLoader
Kaspersky reported a newly observed campaign it tracks as StrikeShark that delivers a previously undocumented loader family called SharkLoader. The loader's primary role is to deliver and execute a Cobalt Strike Beacon on compromised hosts. Victims span a diplomatic organization in Indonesia; government organizations in Taiwan; software development companies across multiple countries; and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
Initial access: exploited CVEs and opportunistic PoC use
The threat actor uses at least two principal initial access methods. In one case, known Microsoft Exchange Server flaws including CVE-2021-26855 (aka ProxyLogon) were exploited to compromise the Indonesian diplomatic entity. For Taiwanese software development organizations the actor exploited a path traversal vulnerability in Openfire (CVE-2023-32315). A Colombian target was reached via a critical remote code execution bug in GeoServer (CVE-2024-36401).
Kaspersky also lists a wider set of weaponized remote code execution and authentication bypass vulnerabilities used in the campaign: Apache Shiro CVE-2016-4437; Hikvision Products CVE-2021-36260; Microsoft SharePoint CVE-2021-27076; Zimbra Collaboration Suite CVE-2022-27925; Microsoft Exchange Server CVE-2022-41082 (aka ProxyNotShell); F5 BIG-IP CVE-2023-46747; Fortinet FortiOS CVE-2024-21762; React Server Components CVE-2025-55182; Fortinet FortiOS CVE-2022-40684; and Cisco IOS XE Web UI CVE-2023-20198.
Kaspersky assesses the operators are likely leveraging publicly available proof-of-concept exploits hosted on GitHub and other open-source platforms, describing the initial access as opportunistic rather than narrowly targeted.
SharkLoader's technique: Perfect DLL Hijacking and Cobalt Strike deployment
After initial access and the establishment of web shells, the operators trigger a DLL side-loading chain involving "SystemSettings.exe" (Microsoft SharePoint CVE-2021-27076 is implicated) to deliver SharkLoader as "SystemSettings.dll." SharkLoader implements what Kaspersky describes as Perfect DLL Hijacking, a technique detailed by security researcher Elliot Killick in October 2023, to execute code while bypassing the Windows Loader Lock.
Technically, SharkLoader decrypts and loads a resource named "DscCoreR.mui," which is used to decompress and load Cobalt Strike into a new thread created in a suspended state. Two additional components accompany the Beacon: SyncRes.dat, which installs multiple Windows API hooks using the Microsoft Detours library to monitor runtime exceptions; and a MinHook DLL, which hooks VirtualAlloc and Sleep to copy the decompressed Beacon into memory and to evade memory-scanning techniques. Once the Beacon shellcode is placed in the thread buffer, the malware calls ResumeThread to begin execution of the Cobalt Strike Beacon.
Post-compromise behavior: persistence, reconnaissance and toolset
SharkLoader itself contains no built-in persistence. The operators have used Registry Run keys and scheduled tasks to trigger SystemSettings.exe at user logon or even when no user is logged in. Following persistence, Kaspersky observed an extensive reconnaissance phase: Active Directory enumeration, credential theft targeting the LSASS process and the NTDS database file, and deployment of open-source scanners and information-gathering tools including FScan, Searchall, and Pillager.
To date Kaspersky notes an absence of active data exfiltration. The vendor judges the campaign’s targeting of government and software development organizations to be consistent with a cyber espionage intent or an interest in intellectual property. Kaspersky also warns that the current lack of exfiltration does not preclude later use of Cobalt Strike’s file operation and data exfiltration modules.
What this means for technologists, procurement leaders, and governments
- Technologists and security teams: prioritize detection of web shells, unusual launches of SystemSettings.exe, creation of Registry Run entries and scheduled tasks, and indicators of API hooking in memory. Patch the public-facing applications identified by Kaspersky and hunt for the listed CVE indicators of compromise.
- Procurement and software teams at targeted companies: validate installers and update channels for tools that could be impersonated (Kaspersky observed custom droppers masquerading as Google Update and Cisco AnyConnect installers) and scrutinize decoy PDF delivery vectors used by some droppers.
- Governments and diplomatic organizations: note the geographic breadth of targets and the mix of government and software development victims; mitigation actions should include reviewing exposure of Exchange, Openfire, GeoServer and other public-facing services tied to the CVEs Kaspersky listed.
StrikeShark’s combination of opportunistic exploitation of public PoCs, a new loader that enables an established commercial post-exploitation framework, and a reconnaissance-heavy post-compromise phase leaves a narrow but distinct set of defenses: patch exposed services, hunt for web shells and abnormal SystemSettings.exe behavior, and monitor for Cobalt Strike Beacon activity. Whether active data exfiltration will follow remains an open and urgent question.
Original reporting: thehackernews.com — New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
