Do Son 
SharkLoader infection chain observed in the StrikeShark campaign | Image: Kaspersky Labs
At a glance
| Field | Detail |
|---|---|
| Malware family | SharkLoader (loader) delivering Cobalt Strike Beacon |
| Threat actor | StrikeShark; unattributed, suspected Chinese-speaking (low confidence) |
| Targets | Government, diplomatic, and software firms across Asia, Latin America, Europe, and the Middle East |
| Delivery | Exploited internet-facing apps and fake installer droppers |
| Key capabilities | DLL sideloading, in-memory beacon, API hooking, ETW blinding, PPID spoofing, credential theft |
| Source | Kaspersky GReAT (Securelist) |
TL;DR
Kaspersky uncovered a global campaign called StrikeShark. It uses a new loader, SharkLoader malware, to deploy a Cobalt Strike Beacon. Victims span government, diplomatic, and software firms across at least nine countries.
What SharkLoader does
SharkLoader is a previously undocumented malware loader. Its job is direct: drop a Cobalt Strike Beacon into memory. Kaspersky’s GReAT team first found it inside a diplomatic network in Indonesia. That single case soon grew into a wider campaign. Researchers then traced more infections across Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
Delivery
The actor used two main entry routes. First, it exploited internet-facing applications. Observed targets include Microsoft Exchange via ProxyLogon (CVE-2021-26855), Openfire (CVE-2023-32315), and a GeoServer flaw (CVE-2024-36401). Kaspersky assesses with medium confidence that the group relies on public proof-of-concept exploits. Second, the actor spread droppers disguised as trusted software. Lures imitated Google Update and Cisco AnyConnect installers. Some droppers even opened a decoy PDF to distract the victim. Meanwhile, SharkLoader components landed quietly in the background.
Infection chain
SharkLoader hides behind trusted Windows files. The dropper copies a legitimate application, then sideloads a malicious DLL beside it. That DLL uses a trick the researchers call “Perfect DLL Hijacking” to escape the Windows loader lock. From there, it decrypts and loads encrypted modules straight into memory. One module carries the Cobalt Strike Beacon. Another installs dozens of Windows API hooks. Because little is written plainly to disk, traditional scanners struggle to catch it.
Command-and-control and evasion
The final payload is a Cobalt Strike Beacon. It gives the attacker remote control, reconnaissance, and lateral movement. SharkLoader also works hard to stay hidden. It hooks Windows event-logging functions to blind monitoring tools. Furthermore, it spoofs parent process IDs, so malicious child processes appear to come from a trusted system process. During beacon sleep, it flips memory permissions to dodge memory scans. After gaining a foothold, the actor ran recon and stole credentials from memory and the Active Directory database. Kaspersky reports no clear data theft so far. Even so, the team warns that Cobalt Strike’s exfiltration modules could be used later.
Scale and victims
Kaspersky has not published a precise victim count. Confirmed cases include a government entity in Taiwan and a diplomatic body in Indonesia. Software firms in Taiwan, Lebanon, and Syria also appear. Because the data comes only from Kaspersky telemetry, the real total is likely higher. The target mix looks both strategic and opportunistic.
Who is behind StrikeShark
Attribution stays preliminary. Kaspersky found no code or infrastructure overlap with any known group. However, several open-source recon tools in the campaign came from Chinese-speaking developers. On that thin basis, the team assesses StrikeShark as “a Chinese-speaking threat actor with low confidence.” Treat that label as suspected, not confirmed.
How to defend
Patch internet-facing apps quickly, especially the flaws listed above. Watch for legitimate binaries that run from unusual folders. Flag scheduled tasks and registry keys that mimic update routines. Monitor for tampering with Windows event logging. Restrict and alert on access to credential stores. Above all, treat unexpected Cobalt Strike traffic as an active intrusion.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
