CVE-2021-26855 (ProxyLogon) was exploited to gain initial access to a diplomatic entity in Indonesia, part of a wider campaign that researchers at Kaspersky have labeled StrikeShark and that centers on a previously undocumented loader family called SharkLoader.
Exploitation of internet-facing applications and initial access
Kaspersky’s investigation found the threat actor used multiple publicly disclosed vulnerabilities to compromise internet-facing services. Confirmed exploitation includes Microsoft Exchange (CVE-2021-26855), Openfire (CVE-2023-32315) against Taiwanese software vendors, and a GeoServer instance vulnerable to CVE-2024-36401 in Colombia. The researchers also observed attempts against a broad set of other RCE and authentication-bypass vulnerabilities, including Apache Shiro (CVE-2016-4437), Microsoft SharePoint (CVE-2021-27076), Zimbra (CVE-2022-27925), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2024-21762), and others.
Kaspersky assesses with medium confidence that the actor primarily relies on publicly available proof-of-concept exploits. Post-exploitation activity included webshell deployment, command execution (for example copying C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe to ProgramData), and persistence actions observed in telemetry.
SharkLoader architecture: SystemSettings.dll, DscCoreR.mui and SyncRes.dat
SharkLoader is a multi-component loader whose core behavior is to deploy a Cobalt Strike Beacon. Key components observed include a legitimate SystemSettings.exe executable used for DLL sideloading and a malicious SystemSettings.dll that implements the loader logic. Two encrypted modules—DscCoreR.mui and SyncRes.dat—contain the beacon and the API-hooking machinery.
DscCoreR.mui is encrypted with a Blowfish routine that reads the first 16 bytes of the file as the decryption key; the resulting PE image is reflectively loaded in memory. SyncRes.dat contains an AES-128 key and a 16-byte IV in its first 32 bytes; the remainder is AES-encrypted PE data that is likewise decrypted and reflectively loaded. Both decrypted modules appear packed and are executed in-memory without writing the unpacked payloads to disk.
To avoid loader deadlocks, SharkLoader implements the “Perfect DLL Hijacking” approach (originally described by Elliot Killick) by manipulating undocumented loader structures in ntdll.dll—releasing the loader lock, decrementing LdrpWorkInProgress, and signaling completion—before creating threads from within DllMain.
API hooks, evasions, and Cobalt Strike execution
The SyncRes.dat module installs a wide set of API hooks using Microsoft Detours and a decompressed MinHook library. Hooks of particular note implement PPID (parent process ID) spoofing by intercepting CreateProcessA/CreateProcessW and launching child processes under svchost.exe. Other hooks replace or redirect common APIs to direct syscall stubs (for example OpenProcess, WriteProcessMemory, NtCreateThreadEx) and alter ETW functions (EtwEventWrite, EventWriteEx, EventWrite) to suppress logging.
The loader creates a suspended thread whose entry points are later populated with a zlib-compressed Cobalt Strike Beacon shellcode. VirtualAlloc and Sleep are hooked so the loader can track memory regions used by the beacon and temporarily toggle protections (PAGE_READWRITE ↔ PAGE_EXECUTE_READWRITE) to hinder memory-scanning detection. After the shellcode is written, the suspended thread is resumed and the beacon runs in-memory.
Dropper lures, scheduled tasks and other persistence methods
The campaign employed both exploitation and dropper-based distribution. Droppers were masqueraded as legitimate installers (examples: GoogleUpdateStepup.exe, AnyConnect-win-4.10.04071-predeploy-k9exe, AutoUpdate.exe) and used decoy PDF lures stored under resource names such as TELEMETRY. In a noted sample the dropper extracted a legitimate Cisco AnyConnect MSI into %APPDATA% and executed it while silently installing SharkLoader components into alternate %APPDATA% directories like %APPDATA%\\xwreg or %APPDATA%\\xgdf.
For persistence the actor used scheduled tasks and registry Run keys. One dropper created two scheduled tasks—named "OneDrive Standalone Update Task-…" and "MicrosoftUpdateTaskUserS-…"—one running every five minutes and a second executed every second then removed to guarantee immediate execution. In other cases the actor created a registry Run key (for example adding "MFUpdate" to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) or a SYSTEM-level scheduled task such as \\Microsoft\\Windows\\Edge\\Edgeupdate to run SystemSettings.exe daily.
Victimology, intent and attribution
Kaspersky identified victims across government and private sectors in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia, including a diplomatic entity in Indonesia and a ministry in Taiwan. Software development companies were specifically noted among targets. The observed mix of opportunistic exploitation of public-facing apps and targeting of government and developers leads Kaspersky to describe the campaign as both broad and technically sophisticated.
Attribution is preliminary: Kaspersky reports no code or infrastructure overlap with known groups, and while several post-exploitation tools used (FScan, Searchall, Pillager) were developed by Chinese-speaking authors, the assessment that StrikeShark is a Chinese-speaking actor is given with low confidence.
What this means for government entities, software developers, and security teams
- Government entities: prioritize patching exposed services (notably Exchange, SharePoint, Openfire and GeoServer instances) and hunt for webshells and nonstandard scheduled tasks such as "\\Microsoft\\Windows\\Edge\\Edgeupdate".
- Software developers and enterprises: verify installer integrity—this campaign used decoy installers and legitimate MSI execution while dropping background components—and monitor for SystemSettings.exe/SystemSettings.dll sideloading from unexpected locations like %APPDATA%.
- Security teams: search telemetry for API-hooking indicators (suppressed ETW calls, PPID spoofing behaviors), the two-task deployment pattern, the presence of DscCoreR.mui/SyncRes.dat artifacts in memory, and the C2 domains and hashes published by Kaspersky; additional IoCs are available from Kaspersky’s Intelligence Reporting Service (intelreports@kaspersky.com).
StrikeShark combines opportunistic exploitation of public-facing software with an in-memory loader that delivers Cobalt Strike and implements multiple evasions. Kaspersky’s monitoring suggests the observed incidents may be only a portion of a broader campaign; the investigators’ final assessment leaves both the campaign’s full scope and its ultimate objectives open to further analysis.
