Listen to this Post
Introduction:
A previously undocumented malware loader dubbed SharkLoader has emerged as the cornerstone of a sophisticated global cyber-espionage campaign targeting diplomatic entities, government agencies, and software development firms across Asia, Latin America, and Europe. Dubbed “StrikeShark” by Kaspersky’s Global Research and Analysis Team (GReAT), this campaign leverages a cocktail of public CVE exploits, DLL sideloading techniques, and cunningly disguised installers to deliver the infamous Cobalt Strike Beacon—a commercial penetration testing tool that threat actors have weaponized for remote access, reconnaissance, and lateral movement. What began as an isolated incident at a diplomatic organization in Indonesia quickly spiraled into a multi-country operation, exposing the dangerous convergence of opportunistic exploitation and targeted espionage.
Learning Objectives
- Understand the complete attack chain of the StrikeShark campaign, from initial infection vectors to post-exploitation activities.
- Identify the specific CVEs exploited and learn how to audit and harden internet-facing applications against these vulnerabilities.
- Master detection and mitigation strategies, including threat hunting for Cobalt Strike Beacon indicators and implementing robust endpoint monitoring.
- The StrikeShark Attack Chain: From Lure to Beacon
The StrikeShark campaign demonstrates a multi-pronged approach to gaining initial access, blending technical exploitation with social engineering. The attackers employ two primary infection vectors: exploitation of internet-facing applications and malware-laced droppers disguised as legitimate software.
Step 1: Initial Infection
- Exploitation Vector: The threat actor targets known vulnerabilities in public-facing applications such as Microsoft Exchange, Microsoft SharePoint, Openfire Server, and various network appliances. For instance, the Indonesian diplomatic entity was compromised via CVE-2021-26855 (ProxyLogon), while a Colombian organization fell victim to a GeoServer instance vulnerable to CVE-2024-36401.
- Dropper Vector: In other instances, attackers distribute malicious droppers disguised as legitimate installers—most notably Cisco AnyConnect VPN and Google Update utilities. Some samples even display convincing decoy PDF documents, including a technical paper on liquid rocket engine design.
Step 2: SharkLoader Execution
Once executed, SharkLoader establishes persistence through webshells and scheduled tasks that run malicious variations of legitimate Windows applications. The malware employs DLL sideloading with legitimate Windows binaries to load encrypted malicious modules, which then decrypt and load additional components. These components install API hooks to evade detection mechanisms.
Step 3: Cobalt Strike Beacon Deployment
The final stage injects and executes the Cobalt Strike Beacon, granting attackers deep remote access, credential dumping capabilities, and the ability to move laterally across the network. The threat actor conducted extensive reconnaissance and credential theft, including dumping credentials from Windows memory and Active Directory.
Commands for Detection (Linux/Windows)
Linux – Monitor for Suspicious Network Connections:
Monitor for outbound connections to known malicious domains sudo tcpdump -i any -1 'dst host 185.130.5.253' or 'dst host 45.142.212.223' Check for anomalous processes binding to ports sudo netstat -tulpn | grep -E ':(4443|8443|8080)'
Windows – PowerShell Process and Network Investigation:
List processes with network connections
Get-1etTCPConnection | Where-Object { $_.State -eq 'Established' } |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
Check for suspicious scheduled tasks
Get-ScheduledTask | Where-Object { $_.TaskName -match "SystemSettings|Update|Google" }
Scan for known SharkLoader file hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Get-FileHash -Algorithm MD5 |
Where-Object { $_.Hash -in @("D98F568496512E4F98670C61C97CB07A", "AA3086BE652C8B20B0B29B2730D57119") }
- The CVE Arsenal: Exploited Vulnerabilities in the Wild
The StrikeShark campaign is notable for its reliance on publicly available exploit code, indicating an opportunistic threat actor that leverages existing offensive resources rather than developing custom zero-days. The list of exploited vulnerabilities spans nearly a decade, covering products from Microsoft, Fortinet, Cisco, F5, Zimbra, Apache, and Hikvision.
Key CVEs Exploited
| CVE | Product | Type |
|–|||
| CVE-2016-4437 | Apache Shiro | Remote Code Execution (RCE) |
| CVE-2021-26855 | Microsoft Exchange (ProxyLogon) | RCE |
| CVE-2021-27076 | Microsoft SharePoint | RCE |
| CVE-2021-36260 | Hikvision Products | RCE |
| CVE-2022-27925 | Zimbra Collaboration Suite | RCE |
| CVE-2022-40684 | Fortinet FortiOS | Authentication Bypass |
| CVE-2022-41082 | Microsoft Exchange Server | RCE |
| CVE-2023-20198 | Cisco IOS XE Web UI | Authentication Bypass |
| CVE-2023-32315 | Openfire | RCE |
| CVE-2023-46747 | F5 BIG-IP | RCE |
| CVE-2024-21762 | Fortinet FortiOS | RCE |
| CVE-2024-36401 | GeoServer | RCE |
| CVE-2025-55182 | React Server Components | RCE |
Hardening Commands
Linux – Vulnerability Scanning with Nuclei:
Install nuclei go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest Scan for specific CVEs nuclei -target https://your-domain.com -t cves/ -id CVE-2021-26855,CVE-2023-32315,CVE-2024-36401
Windows – Exchange Server Hardening (PowerShell):
Check Exchange Server version and update status
Get-ExchangeServer | Format-List Name, AdminDisplayVersion, Build
Verify specific security updates are installed
Get-HotFix | Where-Object { $_.HotFixID -match "KB5003435|KB5001779|KB5000871" }
Disable insecure authentication methods
Set-OrganizationConfig -AdfsIssuer $null
Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -InternalUrl $null
3. DLL Sideloading: The Stealth Mechanism Behind SharkLoader
SharkLoader’s evasion capabilities hinge on DLL sideloading—a technique where a legitimate Windows application loads a malicious DLL by exploiting the Windows DLL search order. The malware disguises its components as ordinary Windows system files and abuses legitimate applications to load itself.
How It Works
- A legitimate executable (e.g.,
SystemSettings.exe) is placed in a directory alongside a malicious DLL (e.g.,SystemSettings.dll). - When the executable runs, Windows loads the malicious DLL instead of the legitimate one due to the search order precedence.
- The malicious DLL decrypts and loads additional payloads, ultimately injecting the Cobalt Strike Beacon into memory.
Detection and Mitigation
Windows – Monitor for DLL Sideloading Activity:
Enable process creation auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Query Windows Event Log for suspicious DLL loads (Event ID 7)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} |
Where-Object { $_.Message -match "SystemSettings.dll|DscCoreR.mui" }
Monitor for unsigned DLLs loaded by signed executables
Get-Process | ForEach-Object {
$proc = $_
$proc.Modules | Where-Object {
-1ot $<em>.FileVersionInfo.FileSigned -and
$</em>.FileName -match ".dll$"
} | Select-Object @{N='Process';E={$proc.Name}}, FileName
}
Group Policy – Restrict DLL Search Order:
Computer Configuration > Administrative Templates > System > Specify Windows DLL search order > Enable > Set to "Check the application directory first, then the system directories"
4. Disguised Droppers: The Social Engineering Front
Beyond technical exploitation, the StrikeShark campaign employs sophisticated social engineering through droppers disguised as legitimate software. The attackers have been observed distributing SharkLoader as:
– Cisco AnyConnect VPN installer
– Google Update utility
– Decoy PDF documents on topics like liquid rocket engine design and biological treatment processes
Detection Strategies
Windows – Monitor for Unauthorized Installer Execution:
Audit for Cisco AnyConnect or Google Update execution from non-standard paths
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |
Where-Object {
$<em>.Message -match "anyconnect|googleupdate" -and
$</em>.Message -1otmatch "C:\Program Files|C:\Program Files (x86)"
}
Check for suspicious PDF execution
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} |
Where-Object { $<em>.Message -match ".pdf" -and $</em>.Message -match "cmd|powershell|wscript" }
Linux – YARA Rule for Dropper Detection:
rule SharkLoader_Dropper {
meta:
description = "Detects SharkLoader dropper samples"
author = "Security Team"
date = "2026-06-26"
strings:
$s1 = "Cisco AnyConnect" wide ascii
$s2 = "GoogleUpdate" wide ascii
$s3 = "SystemSettings" wide ascii
$s4 = { 4D 5A 90 00 03 00 00 00 } // MZ header
condition:
uint16(0) == 0x5A4D and (any of ($s1, $s2, $s3))
}
- Cobalt Strike Beacon: The Payload and Its Detection
Cobalt Strike Beacon is a commercial tool designed for adversarial simulation, but in the hands of threat actors, it becomes a powerful post-exploitation framework. The StrikeShark campaign uses Beacon for:
– Command and Control (C2) communication
– Reconnaissance and system mapping
– Credential theft from Windows memory and Active Directory
– Lateral movement across the network
– Potential data exfiltration
Detection Commands
Network-Based Detection (Snort/Suricata):
Detect Cobalt Strike default JA3/S signatures alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"Cobalt Strike Beacon JA3 fingerprint detected"; flow:to_server,established; ja3_hash:["a0e9f5d64349fb13191bc787f7f4b4e2", "72a589da586844d7f0818ce684948eea"]; sid:1000001; rev:1; ) Detect Beacon staging pattern alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"Cobalt Strike Beacon staging pattern"; content:"|00 00 00 BE EF|"; depth:5; sid:1000002; rev:1; )
Windows – Memory Forensics with Volatility:
Dump memory and analyze for Beacon injection volatility -f memory.dump --profile=Win10x64_19041 pslist volatility -f memory.dump --profile=Win10x64_19041 malfind -D ./dump Check for reflective DLL injection indicators volatility -f memory.dump --profile=Win10x64_19041 cmdscan
PowerShell – Hunt for Beacon Artifacts:
Check for named pipes used by Beacon
Get-ChildItem \.\pipe\ | Where-Object { $_ -match "msagent|MSSE|postex" }
Look for suspicious WMI persistence
Get-WmiObject -Class Win32_ProcessStartup |
Where-Object { $_.CommandLine -match "beacon|strike|cobalt" }
Scan for known Beacon mutexes
Get-Mutex | Where-Object { $_ -match "Global\{A1B2C3D4|Global\{E5F6G7H8" }
6. Indicators of Compromise (IOCs) and Threat Hunting
Kaspersky’s investigation has identified specific IOCs that security teams should incorporate into their monitoring frameworks.
File Hashes (MD5)
| File | Hash |
|||
| SystemSettings.exe | `D98F568496512E4F98670C61C97CB07A` |
| SystemSettings.dll | `AA3086BE652C8B20B0B29B2730D57119` |
| DscCoreR.mui | `A514D1BB62D7916475946FE7C07AC0AA` |
| SyncRest.dat | `9CBD560F820C95D7C38342CD558CB5C6` |
Malicious Domains
– `connect-microsoft.com`
– `ms-record.com`
– `ms-record.top`
– `ms-tray.top`
Threat Hunting Queries
Splunk Query:
index=windows (source="WinEventLog:Security" EventCode=4688) [search index=threat_intel domains=".ms-record." OR ".ms-tray."] | stats count by User, Computer, Process_CommandLine | sort -count
ELK/KQL Query:
// Detect process creations with suspicious command lines
EventLogs
| where EventID == 4688
| where ProcessCommandLine contains "SystemSettings.exe"
or ProcessCommandLine contains "GoogleUpdate"
or ProcessCommandLine contains "anyconnect"
| project Timestamp, Computer, User, ProcessCommandLine
// Network connections to malicious domains
NetworkEvents
| where DestinationDomain in ("connect-microsoft.com", "ms-record.com", "ms-record.top", "ms-tray.top")
| project Timestamp, SourceIP, DestinationIP, DestinationDomain
What Undercode Say:
- The commoditization of cyber-espionage – The StrikeShark campaign exemplifies how threat actors are increasingly blending publicly available exploits, off-the-shelf penetration testing tools, and custom malware to achieve sophisticated objectives without developing novel attack techniques. This lowers the barrier to entry for espionage operations.
-
Attribution remains elusive – Despite the use of open-source tools developed by Chinese-speaking developers, Kaspersky has not confidently attributed StrikeShark to any known APT group. This highlights the growing challenge of attribution in an era where threat actors can easily adopt and adapt tools from diverse origins.
The campaign’s dual nature—combining opportunistic exploitation of known vulnerabilities with targeted espionage against diplomatic and government entities—suggests a flexible threat actor capable of pivoting between strategic objectives and tactical gains. The absence of clear data exfiltration evidence thus far does not rule out the possibility of future data theft, as Cobalt Strike’s file operation and exfiltration modules could be deployed at a later stage. Organizations must prioritize patch management for internet-facing applications, enforce robust multi-factor authentication, and deploy comprehensive endpoint detection and response (EDR) solutions capable of detecting the stealthy behaviors exhibited by SharkLoader. The StrikeShark campaign serves as a stark reminder that even well-known vulnerabilities and commercial tools can be repurposed into devastating attack chains when combined with custom loaders and sophisticated evasion techniques.
Prediction:
- +1 The StrikeShark campaign will accelerate the adoption of zero-trust architectures and micro-segmentation in government and enterprise networks, as organizations recognize the inadequacy of perimeter-based defenses against multi-vector attacks.
-
-1 The reliance on public CVE exploits will continue to grow, as threat actors find success in exploiting the significant patch gap that persists in many organizations, particularly in developing nations.
-
-1 We will likely see copycat campaigns leveraging SharkLoader’s techniques or the malware itself, as the StrikeShark playbook becomes a case study for other threat actors seeking to replicate its success.
-
+1 The incident will drive increased collaboration between cybersecurity vendors and government agencies, leading to faster IOC sharing and more coordinated defense strategies against similar campaigns.
-
-1 If left unchecked, the combination of Cobalt Strike’s post-exploitation capabilities and SharkLoader’s stealth could enable threat actors to establish persistent footholds in critical infrastructure, potentially leading to disruptive attacks beyond espionage.
-
+1 The exposure of StrikeShark will prompt software vendors to accelerate patching cycles for the identified CVEs, particularly for older vulnerabilities that have been overlooked.
-
-1 Threat actors may shift to even more sophisticated evasion techniques, including custom reflective loaders and advanced sleep masking, to bypass the detection mechanisms developed in response to this campaign.
▶️ Related Video (84% Match):
https://www.youtube.com/watch?v=EDCjPfddlt4
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
