A newly identified cyberattack operation has been spotted distributing a previously unknown malware family known as SharkLoader. This malware functions as a loader, designed to deliver Cobalt Strike Beacon onto infected machines.
Kaspersky, tracking the operation under the name StrikeShark, reported that the campaign has focused on a diplomatic body in Indonesia, government agencies in Taiwan, software development firms spanning several countries, and various other organizations based in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
“The victim profile indicates an operation with a wide geographic scope and a broad range of targets, rather than a concentrated focus on a particular industry or region,” the Russian cybersecurity firm stated.
While no direct connections to any recognized threat actor or group have been identified, the operators have leveraged multiple open-source post-exploitation tools such as FScan and Pillager — tools frequently associated with Chinese-speaking developers. It is suspected that the operation is being carried out by a Chinese-speaking threat actor.
The attack chains leverage two primary entry points: exploiting well-known Exchange Server vulnerabilities, namely CVE-2021-26855 (also known as ProxyLogon), to compromise the Indonesian diplomatic entity; or exploiting a path traversal flaw in Openfire (CVE-2023-32315) targeting Taiwanese software development organizations; or taking advantage of a critical remote code execution vulnerability in GeoServer (CVE-2024-36401) to strike a Colombian organization.
Additional remote code execution and authentication bypass weaknesses exploited by the threat actor include the following —
It is believed that the threat actors are likely leveraging publicly accessible proof-of-concept (PoC) exploits hosted on GitHub or similar platforms to gain initial entry on an opportunistic basis. After securing access, the actors set up persistence by deploying web shells that initiate a DLL side-loading sequence exploiting “SystemSettings.exe” (CVE-2021-27076), which delivers SharkLoader (“SystemSettings.dll”).
An alternative distribution method used by StrikeShark involves specially crafted dropper executables disguised as authentic software installers or commonly trusted applications such as Google Update and Cisco AnyConnect. The malicious loader executes once the fake installation wraps up. How these droppers reach victims remains unclear at this time.
“Beyond installer-based lures, certain SharkLoader droppers also employ convincing PDF documents to trick victims into opening the harmful file,” Kaspersky noted. “That said, not every sample uses this approach — some droppers serve purely as a vehicle for delivering SharkLoader without showing any deceptive content at all.”
Once the DLL is loaded, SharkLoader employs a method known as Perfect DLL Hijacking — a technique previously outlined by security researcher Elliot Killick in October 2023 — to run malicious code while circumventing the Windows Loader Lock, a system-level mechanism maintained by the operating system during the loading and unloading of DLL libraries.
More specifically, the malware is designed to decrypt and activate “DscCoreR.mui,” which in turn is used to decompress and inject Cobalt Strike into a newly created thread in a suspended state. Two additional components are also involved —
- SyncRes.dat, which places multiple Windows API hooks using the Microsoft Detours library to monitor exceptions that arise during execution.
- MinHook DLL, which sets up API hooks targeting the VirtualAlloc and Sleep functions. It utilizes VirtualAlloc to write the decompressed Cobalt Strike Beacon into a memory region. The Sleep hook activates whenever the Beacon invokes Sleep, likely as a means of sidestepping memory scanning techniques that flag executable (RWX) code regions within memory.
“Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon,” Kaspersky explained.
Although SharkLoader itself does not contain built-in persistence mechanisms, the threat actor has been observed using Registry Run keys and scheduled tasks to trigger the launch of “SystemSettings.exe” either when a user signs in or even when the system is sitting unattended with no user logged on.
Following initial access and the establishment of persistence, the attacks also entail an extensive reconnaissance phase. The threat actor conducts Active Directory enumeration, steals credentials by targeting the LSASS process and the NTDS database file, and deploys open-source scanning and information-gathering utilities such as FScan, Searchall, and Pillager.
Given the lack of active data exfiltration so far, StrikeShark’s ultimate objectives remain uncertain. However, the focus on government entities and software development companies points toward cyber espionage, with a possible interest in harvesting political intelligence or proprietary technology.
“At the same time, the deployment of SharkLoader alongside Cobalt Strike, combined with the exploitation of internet-facing applications and the use of malicious installers and droppers, suggests the attacker may also be casting a wide net and hitting vulnerable systems opportunistically,” Kaspersky stated. “The current absence of observable data theft does not rule out this scenario entirely, as Cobalt Strike’s file manipulation and data exfiltration modules could be activated at a later time.”
