A newly discovered cyberattack campaign is leveraging a bespoke malware loader, **SharkLoader**, to establish persistent access and deploy **Cobalt Strike Beacon** on targeted systems. **Kaspersky**, the cybersecurity firm tracking this activity under the moniker **StrikeShark**, has observed a broad victimology, spanning diplomatic organizations in Indonesia, government entities in Taiwan, and software development companies across various countries, including Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. "The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region," **Kaspersky** stated in their analysis. While direct attribution to a specific threat actor remains elusive, the use of open-source post-compromise tools like **FScan** and **Pillager**, commonly favored by Chinese-speaking developers, suggests a potential link to a Chinese-speaking threat actor. ## Initial Access and Exploitation The **StrikeShark** campaign employs multiple initial access vectors, primarily exploiting known vulnerabilities in public-facing applications. These include: * **CVE-2021-26855** (ProxyLogon) in **Microsoft Exchange Server**, used against an Indonesian diplomatic entity. * **CVE-2023-32315**, a path traversal vulnerability in **Openfire**, targeting Taiwanese software development organizations. * **CVE-2024-36401**, a critical remote code execution (RCE) bug in **GeoServer**, exploited against a Colombian organization. Other vulnerabilities weaponized by the threat actor include: * **Apache Shiro**: **CVE-2016-4437** * **Hikvision Products**: **CVE-2021-36260** * **Microsoft SharePoint**: **CVE-2021-27076** * **Zimbra Collaboration Suite**: **CVE-2022-27925** * **Microsoft Exchange Server**: **CVE-2022-41082** (ProxyNotShell) * **F5 BIG-IP**: **CVE-2023-46747** * **Fortinet FortiOS**: **CVE-2024-21762** * **React Server Components**: **CVE-2025-55182** * **Fortinet FortiOS**: **CVE-2022-40684** * **Cisco IOS XE Web UI**: **CVE-2023-20198** It is believed that the threat actors are opportunistically leveraging publicly available proof-of-concept (PoC) exploits to gain initial access. ## SharkLoader's Delivery and Evasion Techniques Upon gaining a foothold, the attackers establish persistence by deploying web shells. This often initiates a DLL side-loading chain involving "SystemSettings.exe" (**CVE-2021-27076**) to deliver **SharkLoader** as "SystemSettings.dll".  A secondary distribution method for **SharkLoader** involves custom dropper executables disguised as legitimate software installers, such as **Google Update** or **Cisco AnyConnect**. These droppers execute the malware upon completion of the fake installation process. Some droppers also utilize decoy PDF documents to trick victims into opening the malicious file. **SharkLoader** implements a technique known as "Perfect DLL Hijacking," detailed by security researcher Elliot Killick in October 2023. This method allows the malware to execute malicious code while bypassing **Windows Loader Lock**, a system-wide lock held by the operating system during DLL loading and unloading operations. Specifically, **SharkLoader** decrypts and loads "DscCoreR.mui," which then decompresses and loads **Cobalt Strike** in a suspended thread. It also deploys two additional components: * **SyncRes.dat**: Installs multiple **Windows API** hooks using the **Microsoft Detours** library to monitor runtime exceptions. * **MinHook DLL**: Installs **API** hooks for **VirtualAlloc** and **Sleep** functions. The **VirtualAlloc** hook copies the decompressed **Cobalt Strike Beacon** into the allocated memory region. The **Sleep**-related hook is triggered when the **Beacon** calls **Sleep**, likely as an anti-memory scanning technique to evade detection of executable (RWX) code regions. "Finally, after the API hooks are installed and the **Cobalt Strike Beacon** shellcode has been written to the thread buffer, the malware calls the **ResumeThread API** to resume the suspended thread and begin execution of the beacon," **Kaspersky** explained.  ## Post-Compromise Activities and Objectives Although **SharkLoader** itself lacks built-in persistence mechanisms, the threat actors utilize **Registry Run** keys and scheduled tasks to ensure the launch of "SystemSettings.exe" upon user login or even when no user is logged in. Following initial compromise and persistence, the attacks involve an extensive reconnaissance phase. The threat actors engage in **Active Directory** enumeration, credential theft by targeting the **LSASS** process and the **NTDS** database file, and deploy open-source scanners and information-gathering tools like **FScan**, **Searchall**, and **Pillager**. The ultimate goals of the **StrikeShark** campaign remain somewhat unclear due to the absence of active data exfiltration observed so far. However, the targeting of government and software development organizations strongly suggests a cyber espionage motive, potentially aiming for political intelligence or intellectual property theft. "At the same time, the use of **SharkLoader** and **Cobalt Strike**, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems," **Kaspersky** concluded. "The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as **Cobalt Strike**’s file operation and data exfiltration modules could be employed at a later stage."