A newly identified cyber campaign has been found deploying a previously undocumented malware family known as SharkLoader, which functions as a loader for delivering Cobalt Strike Beacon on compromised Windows systems. Cybersecurity researchers at Kaspersky are tracking the activity under the name StrikeShark and report that the campaign has affected a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and organizations operating in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. According to the researchers, the broad range of victims indicates that the campaign is not focused on a single industry or geographic region but instead targets organizations across multiple sectors through opportunistic attacks on exposed systems. Although there is no confirmed attribution to a known threat group, Kaspersky believes the campaign is likely operated by a Chinese speaking threat actor based on the use of several open source post compromise tools that are commonly associated with Chinese speaking developers.
The investigation found that StrikeShark relies on several initial access methods by exploiting publicly known vulnerabilities in internet facing applications. The attackers targeted the Indonesian diplomatic organization through Microsoft Exchange Server ProxyLogon vulnerability identified as CVE 2021 26855, while software development organizations in Taiwan were compromised using the Openfire path traversal vulnerability tracked as CVE 2023 32315. A Colombian organization was targeted through the GeoServer remote code execution vulnerability CVE 2024 36401. Researchers also identified additional vulnerabilities exploited during the campaign, including flaws affecting Apache Shiro, Hikvision products, Microsoft SharePoint, Zimbra Collaboration Suite, Microsoft Exchange Server ProxyNotShell, F5 BIG IP, Fortinet FortiOS, Cisco IOS XE Web UI, and React Server Components. Kaspersky believes the operators rely on publicly available proof of concept exploits hosted on GitHub and other open source platforms to gain access to vulnerable systems. Once inside a network, the attackers establish persistence by deploying web shells and triggering a DLL side loading chain involving SystemSettings.exe, which ultimately loads SharkLoader through a malicious SystemSettings.dll file.
Researchers also discovered that the attackers distribute SharkLoader through custom dropper applications disguised as legitimate software installers, including Google Update and Cisco AnyConnect installers. In several cases, these droppers present decoy PDF documents to convince victims to open the malicious files, while other variants simply function as delivery mechanisms for the malware without displaying any lure content. After execution, SharkLoader uses a technique known as Perfect DLL Hijacking to bypass Windows Loader Lock and load malicious code into memory. The malware decrypts and loads an additional component named DscCoreR.mui, which is responsible for decompressing and launching Cobalt Strike Beacon in a suspended thread. Additional modules install Windows API hooks using Microsoft Detours and MinHook libraries to intercept functions such as VirtualAlloc and Sleep. These techniques allow the malware to place the Beacon into allocated memory while attempting to evade memory scanning technologies commonly used by security products. Once preparation is complete, the malware resumes the suspended thread and activates the Cobalt Strike payload.
Kaspersky also observed that SharkLoader itself does not contain built in persistence features. Instead, the attackers rely on Registry Run keys and scheduled tasks to launch SystemSettings.exe automatically when a user signs in or even when no user session is active. Following successful compromise, the campaign enters an extensive reconnaissance phase that includes Active Directory enumeration, credential theft targeting the LSASS process and NTDS database, and the deployment of open source tools such as FScan, Searchall, and Pillager to collect additional information from compromised environments. While researchers have not yet observed active data exfiltration, they believe the campaign displays characteristics commonly associated with cyber espionage, particularly because of its focus on government entities and software development organizations. At the same time, Kaspersky noted that the use of SharkLoader, Cobalt Strike, malicious installers, and exploitation of publicly exposed vulnerabilities also indicates that the operators may opportunistically compromise vulnerable networks, with data collection or exfiltration capabilities potentially being activated during later stages of an intrusion.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
