What happened
A newly discovered cyberattack campaign is delivering a previously undocumented malware family called SharkLoader to deploy Cobalt Strike Beacon on compromised systems.
Kaspersky is tracking the activity as StrikeShark. The campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and organizations in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
Researchers said the victimology suggests a broad geographic reach and a diverse target set rather than a campaign focused on one industry or region.
The campaign has not been directly linked to a known threat actor. However, the operators used several open-source post-compromise tools, including FScan and Pillager, that are commonly used by Chinese-speaking developers. Researchers believe the campaign is likely the work of a Chinese-speaking threat actor.
The attackers used multiple initial access paths. In one case, they exploited known Microsoft Exchange Server flaws, including ProxyLogon, to target the Indonesian diplomatic entity. In other cases, they exploited an Openfire path traversal vulnerability against Taiwanese software development organizations and a GeoServer remote code execution flaw against a Colombian organization.
The threat actor also weaponized vulnerabilities affecting Apache Shiro, Hikvision products, Microsoft SharePoint, Zimbra Collaboration Suite, Microsoft Exchange Server, F5 BIG-IP, Fortinet FortiOS, React Server Components, and Cisco IOS XE Web UI.
Researchers assessed that the attackers likely used publicly available proof-of-concept exploits from GitHub or other open-source platforms to gain access opportunistically.
After gaining a foothold, the attackers established persistence by deploying web shells and triggering a DLL side-loading chain involving SystemSettings.exe to load SharkLoader.
A second delivery method involved custom dropper executables disguised as legitimate installers or applications, including Google Update and Cisco AnyConnect. Some droppers also used decoy PDF documents to convince victims to open the malicious file.
Once loaded, SharkLoader decrypts and loads additional components that decompress and execute Cobalt Strike Beacon in memory. The malware uses API hooking techniques to monitor runtime exceptions, copy the Beacon into allocated memory, and evade memory scanning techniques that look for suspicious executable memory regions.
SharkLoader does not include its own persistence mechanism. Instead, the attackers use Registry Run keys and scheduled tasks to launch SystemSettings.exe when a user logs in or even when no user is logged in.
After compromise, the attackers conduct extensive reconnaissance. Observed activity includes Active Directory enumeration, credential theft targeting the LSASS process and the NTDS database file, and use of open-source scanning and information-gathering tools such as FScan, Searchall, and Pillager.
Researchers said there is no clear evidence of active data exfiltration so far. However, the targeting of government and software development organizations suggests a possible cyber espionage objective, including interest in political intelligence or intellectual property.
Who is affected
Government organizations, diplomatic entities, software development companies, and other organizations in the targeted regions may be affected.
The campaign is especially relevant to organizations running exposed or unpatched public-facing applications, including Microsoft Exchange Server, Openfire, GeoServer, SharePoint, Zimbra, F5 BIG-IP, Fortinet FortiOS, Cisco IOS XE Web UI, Apache Shiro, Hikvision products, and React Server Components.
Software development companies should pay particular attention because the campaign’s targeting and post-compromise tooling suggest potential interest in intellectual property, source code, developer environments, and downstream access.
Organizations that detect SharkLoader, Cobalt Strike Beacon, suspicious web shells, unusual SystemSettings.exe execution, Registry Run key persistence, or scheduled tasks tied to this chain should treat affected systems as potentially compromised.
Why CISOs should care
StrikeShark shows how attackers are combining public exploit code, web shells, DLL side-loading, custom loaders, and Cobalt Strike to compromise diverse targets across regions and sectors.
For CISOs, the use of known public-facing application vulnerabilities is the key lesson. Many of the flaws abused in the campaign are not new. The threat actor appears to be using publicly available proof-of-concept exploits opportunistically, which means organizations with exposed, unpatched systems remain attractive targets long after vulnerabilities become public.
The SharkLoader chain also reinforces the importance of detecting behavior beyond the initial exploit. Even if the first access vector varies, the follow-on activity includes web shells, SystemSettings.exe abuse, DLL side-loading, in-memory Cobalt Strike execution, Active Directory enumeration, and credential theft.
The possible espionage angle matters because government and software development targets can hold sensitive political intelligence, source code, credentials, and intellectual property. Even without confirmed data exfiltration, Cobalt Strike gives attackers the ability to conduct file operations and exfiltrate data later.
3 practical actions
- Patch and restrict exposed public-facing applications: StrikeShark used vulnerabilities in Exchange Server, Openfire, GeoServer, SharePoint, Zimbra, F5 BIG-IP, Fortinet FortiOS, Cisco IOS XE, Apache Shiro, Hikvision products, and React Server Components. CISOs should prioritize patching exposed systems and restrict administrative access to trusted networks.
- Hunt for SharkLoader and Cobalt Strike behavior: The campaign uses web shells, DLL side-loading, SystemSettings.exe, Registry Run keys, scheduled tasks, and in-memory Beacon execution. Security teams should review endpoint, EDR, web server, and Windows event logs for these behaviors.
- Review identity exposure after suspected compromise: The attackers performed Active Directory enumeration and targeted LSASS and the NTDS database file for credential theft. Organizations should rotate exposed credentials, inspect domain controller activity, review privileged account usage, and look for lateral movement after any confirmed intrusion.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.