This new wave of attacks includes an unknown variant of malware known as SharkLoader. SharkLoader functions as a loader for distributing Cobalt Strike Beacon to the infected machines. Kaspersky has named this campaign StrikeShark.
The campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
It can be seen from the observed victimology that this is an attack which has a wide geographical footprint with a diverse set of victims.
Who Is Behind the Attacks?
The SharkLoader Cobalt Strike delivery campaign does not exhibit direct links to any known threat actor. However, the operators have utilized several open-source post-compromise tools like FScan and Pillager.
These tools are commonly put to use by Chinese-speaking developers. It is believed that the campaign is the handiwork of a Chinese-speaking threat actor.
Initial Access: Exploiting Known Vulnerabilities
Two initial access attack chains were used for these attacks:
1. ProxyLogon (CVE-2021-26855): This was used for attacking the Indonesian diplomatic institution to carry out the cyberattack.
2. Openfire (CVE-2023-32315) was used to exploit a path traversal to perform an attack against Taiwanese software development companies.
3. GeoServer (CVE-2024-36401): This was used for carrying out an important remote code execution cyberattack against the Colombian institution.
This is a list of some other vulnerabilities that were used by cyber actors to perform an authentication bypass or to provide remote code execution:
Apache Shiro Vulnerabilities (CVE-2016-4437)
Hikvision Vulnerabilty (CVE-2021-36260)
Microsoft SharePoint Vulnerability (CVE-2021-27076)
Zimbra Vulnerability (CVE-2022-27925)
Microsoft Exchange Server (ProxyNotShell) Vulnerability (CVE-2022-41082)
F5 BIG-IP Vulnerability (CVE-2023-46747)
Fortinet FortiOS Vulnerability (CVE-2024-21762)
React Server Components Vulnerability (CVE-2025-55182)
Fortinet FortiOS (CVE-2022-40684)
Cisco IOS XE WEB UI Vulnerability (CVE-2023-20198)
Public proof-of-concept exploits that are openly available on GitHub and other similar open source sites could be the ones being used by the threat actors for their initial exploitation.
Establishing Persistence
After gaining an initial entry into the network, the threat actors gain persistence through the use of web shells, which in turn exploit SystemSettings.exe (CVE-2021-27076) in order to deploy SharkLoader (SystemSettings.dll).
The other method of distributing the loader by StrikeShark involves the following custom executable droppers posing as legitimate installers:
1. Google Update
2. Cisco AnyConnect
These droppers execute the malware loader once the installation process completes. The method by which these droppers are delivered is currently unknown.
The SharkLoader Infection Chain
Once the DLL is loaded, SharkLoader implements what is called Perfect DLL Hijacking. This technique, detailed by security researcher Elliot Killick, executes malicious code while bypassing Windows Loader Lock, a system-wide lock held by the operating system when loading and unloading DLLs.
SharkLoader is engineered to:
1. Decrypt and Load DscCoreR.mui
2. Using DscCoreR.mui, decompress and load Cobalt Strike in a new thread which is spawned in a suspended state.
Apart from the above-mentioned components, the malware also makes use of the following components:
1. SyncRes.dat: It installs several hooks to the Windows APIs using the Microsoft Detours library and monitors all the exceptions thrown during runtime.
2. MinHook DLL: It hooks two Windows APIs –VirtualAlloc and Sleep API.
The VirtualAlloc hook copies the Cobalt Strike Beacon from the decompressed memory and the Sleep hook triggers on call to the sleep function made by the Cobalt Strike Beacon.
Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls ResumeThread to resume execution of the beacon.
Persistence Mechanisms
While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage:
1. Registry Run keys
2. Scheduled tasks
These are used to activate the launch of SystemSettings.exe either when a user logs in, or even if no user is logged in.
Post-Compromise Activity
The SharkLoader Cobalt Strike delivery campaign includes an extensive reconnaissance phase following initial compromise and persistence.
The threat actor engages in:
1. Active Directory enumeration
2. Credential theft by targeting the LSASS process
3. Credential theft by targeting the NTDS database file
4. Deployment of open-source scanners and information gathering tools like FScan, Searchall, and Pillager
What Is the End Goal?
Given the absence of active data exfiltration, it is unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber espionage bent with a potential interest in hoovering political intelligence or intellectual property.
At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems.
Lack of evident data exfiltration by now does not rule out such activity.
The file operation and data exfiltration capabilities of Cobalt Strike can also be used in a subsequent stage of the attack.
What To Do
If you belong to the government or any other target industry, follow these actions:
1. Implement necessary patches for the above-mentioned vulnerabilities.
2. Guard yourself from exploitation by means of web shell or DLL side loading attack.
3. Check for any anomalies in the Run key or scheduled tasks registry key.
4. Look for any dubious instance of SystemSettings.exe running itself from an unusual location.
5. Make use of EDR with memory scanning features for identifying the presence of Cobalt Strike Beacon.
6. Monitor access attempts to LSASS and NTDS.
The Bottom Line
SharkLoader attack that uses Cobalt Strike for distribution is a widespread cyber campaign against governments and software development companies. The criminals take advantage of known vulnerabilities, use web shells and DLL sideloading to distribute Cobalt Strike Beacon.
The threat actor uses the Chinese language, is opportunistic and meticulous. The final purpose is unknown at the moment, but espionage seems likely.
Check your logs. Patch your systems. And watch for SystemSettings.exe.
FAQ Section
What is SharkLoader?
SharkLoader is a previously undocumented malware family that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Who or what is StrikeShark?
StrikeShark is the name that Kaspersky has chosen to refer to this campaign. In this case, it uses DLL side-loading to deliver the SharkLoader and exploits other known vulnerabilities.
What are the organizations targeted in this cyber attack?
In this cyber attack, the targets included diplomats heads of state, government offices, software companies, and multiple businesses throughout several countries; meaning that many different aspects of life are affected.
What exploits are being used by the attackers?
Some of the exploits being utilized by attackers during their attacks include those using the following vulnerabilities: CVE-2023-36401 (Perfect DLL Hijacking), CVE-2023-32315 (OpenFire), CVE-2021-26855 (ProxyLogon).
What is Perfect DLL Hijacking?
Perfect DLL Hijacking is a method for executing a piece of code without using the Windows Loader Lock. This method was introduced by security researcher Elliot Killick.
What should I do if I am in a targeted sector?
Apply patches immediately, monitor for web shells, review Registry Run keys and scheduled tasks, and deploy EDR with memory scanning.
