SharkLoader Malware Strikes Global Targets With Cobalt Strike Payloads

A newly uncovered cyber-espionage campaign dubbed StrikeShark is leveraging a previously undocumented malware loader called SharkLoader to deliver Cobalt Strike Beacon on compromised Windows hosts. Researchers at Kaspersky, who have been tracking the activity, report that the operation has struck a diplomatic organization in Indonesia, government entities in Taiwan, software development firms across multiple geographies, and additional victims in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The diverse victimology points to a broad, opportunistic campaign rather than a narrowly targeted operation.

While no direct ties to a known threat group have been established, the operators' reliance on open-source post-exploitation tools such as FScan and Pillager, alongside Chinese-language artifacts, strongly suggests the work of a Chinese-speaking APT actor. Initial access is achieved by exploiting a wide arsenal of known vulnerabilities, including ProxyLogon (CVE-2021-26855) against Microsoft Exchange, a path traversal flaw in Openfire (CVE-2023-32315), the GeoServer RCE (CVE-2024-36401), ProxyNotShell (CVE-2022-41082), and several others spanning Apache Shiro, Hikvision, Zimbra, F5 BIG-IP, Fortinet FortiOS, React Server Components, and Cisco IOS XE Web UI. The threat actors are believed to be leveraging public proof-of-concept exploits for opportunistic, large-scale intrusion.

Once inside, the attackers deploy web shells to establish persistence and trigger a DLL side-loading chain through "SystemSettings.exe" (CVE-2021-27076) that ultimately loads SharkLoader disguised as "SystemSettings.dll." A second delivery vector uses custom droppers disguised as legitimate installers for Google Update and Cisco AnyConnect, often bundled with decoy PDF lures to trick victims into executing the payload. Organizations running exposed Exchange, Fortinet, or F5 infrastructure should immediately audit their environments, apply pending patches, and hunt for indicators of compromise associated with SharkLoader and Cobalt Strike Beacon.

Defenders should treat internet-facing servers as the frontline and validate their exposure using tools like our port scanner to identify vulnerable services and the SSL/TLS checker to verify certificate configurations on Exchange, FortiGate, and BIG-IP appliances. A full privacy checkup can also help surface overlooked weaknesses that opportunistic threat actors like StrikeShark routinely exploit.