Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New SharkLoader Malware Uncovered: A Sophisticated Cobalt Strike Deployment Campaign



New SharkLoader Malware Uncovered: A Sophisticated Cobalt Strike Deployment Campaign

A highly sophisticated cyberattack campaign has been uncovered, leveraging a previously undocumented malware family called SharkLoader as a loader for deploying the notorious Cobalt Strike Beacon on compromised hosts. This article delves into the details of this campaign and its implications for individuals, organizations, and governments alike.

  • The recently uncovered cyberattack campaign, dubbed StrikeShark by Kaspersky, utilizes a previously undocumented malware family called SharkLoader to deploy the Cobalt Strike Beacon on compromised hosts.
  • The campaign targets multiple sectors and regions, including diplomatic organizations, government bodies, software development companies, and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
  • The attackers' motivations and end goals are unclear, but the use of sophisticated techniques and tools suggests a high level of expertise.
  • The campaign employs multiple attack vectors, including exploitation of Exchange Server flaws, path traversal vulnerabilities, remote code execution, and authentication bypass vulnerabilities.
  • SharkLoader implements Perfect DLL Hijacking technique to execute malicious code while bypassing Windows Loader Lock.
  • The attackers engage in extensive reconnaissance phase following initial compromise and persistence, using tools like FScan, Searchall, and Pillager.



    • The cybersecurity landscape continues to evolve at a rapid pace, with new threats and attack vectors emerging regularly. Recently, a highly sophisticated cyberattack campaign has been uncovered, leveraging a previously undocumented malware family called SharkLoader as a loader for deploying the notorious Cobalt Strike Beacon on compromised hosts. In this article, we will delve into the details of this campaign, its motivations, and the implications it holds for individuals, organizations, and governments alike.

    The campaign, dubbed StrikeShark by Kaspersky, has been observed targeting a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. This broad geographic reach suggests that the attackers are not limited to specific regions or industries but instead have opted for a "bread-and-dutch" approach to compromise as many targets as possible.

    The campaign does not appear to be directly linked to any known threat actor or group, although the operators have utilized several open-source post-compromise tools such as FScan and Pillager. The use of these tools is characteristic of Chinese-speaking developers, leading researchers to suspect that the campaign may indeed be the handiwork of a Chinese-speaking threat actor.

    Attack chains in this campaign involve two primary initial access pathways: the exploitation of known Exchange Server flaws or path traversal vulnerabilities impacting Openfire for Taiwanese software development organizations. The attackers have also weaponized several remote code execution and authentication bypass vulnerabilities to further their objectives, including Apache Shiro, Hikvision Products, Microsoft SharePoint, Zimbra Collaboration Suite, Microsoft Exchange Server, F5 BIG-IP, Fortinet FortiOS, React Server Components, and Cisco IOS XE Web UI.

    Upon gaining a foothold on the compromised host, the attackers establish persistence by deploying web shells to trigger a DLL side-loading chain involving SharkLoader. This technique is detailed by security researcher Elliot Killick in October 2023, as part of his exploration into Perfect DLL Hijacking. The use of this technique allows SharkLoader to execute malicious code while bypassing Windows Loader Lock, a system-wide lock held by the operating system when loading and unloading DLLs.

    The attackers also employ a second method to distribute the loader, utilizing custom dropper executables masquerading as legitimate software installers or applications such as Google Update and Cisco AnyConnect. The method by which these droppers are delivered is currently unknown. Furthermore, SharkLoader has been found to use decoy PDF documents to persuade victims to open the malicious file.

    Once the DLL is loaded, SharkLoader implements its Perfect DLL Hijacking technique to execute malicious code while bypassing Windows Loader Lock. It achieves this by decrypting and loading "DscCoreR.mui," which decompresses and loads Cobalt Strike in a new thread created in a suspended state, along with two other components - SyncRes.dat, which installs multiple Windows API hooks using the Microsoft Detours library to monitor exceptions generated during runtime.

    MinHook DLL is used to install API hooks for the VirtualAlloc and Sleep functions. The Sleep-related hook triggers when the Beacon calls Sleep, likely in an attempt to evade memory scanning techniques that identify executable (RWX) code regions in memory. Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.

    The attacks also involve an extensive reconnaissance phase following initial compromise and persistence, with the threat actor engaging in Active Directory enumeration, credential theft by targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information gathering tools like FScan, Searchall, and Pillager.

    In conclusion, the StrikeShark campaign represents a sophisticated example of cyber espionage aimed at compromising government organizations, software development companies, and other sectors. The use of SharkLoader and Cobalt Strike alongside exploitation of public-facing applications and malicious installers suggests that the attackers are also opportunistic in their targeting of vulnerable systems. While it is unclear what the end goals of StrikeShark are, given the absence of active data exfiltration, it is clear that this campaign poses a significant threat to organizations and individuals worldwide.


    New SharkLoader Malware Uncovered: A Sophisticated Cobalt Strike Deployment Campaign

    A highly sophisticated cyberattack campaign has been uncovered, leveraging a previously undocumented malware family called SharkLoader as a loader for deploying the notorious Cobalt Strike Beacon on compromised hosts. This article delves into the details of this campaign and its implications for individuals, organizations, and governments alike.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-SharkLoader-Malware-Uncovered-A-Sophisticated-Cobalt-Strike-Deployment-Campaign-ehn.shtml

  • https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html

  • https://gbhackers.com/sharkloader-malware-to-deploy-cobalt-strike/

  • https://cyberwebspider.com/cyber-security-news/sharkloader-malware-fake-installers/

  • https://malwaretips.com/blogs/cobalt-strike-beacon-scam/

  • https://cybersecuritynews.com/hackers-delivering-cobalt-strike-beacon/

  • https://cybersecuritynews.com/mysterious-elephant-apt-hackers-infiltrate-organization/

  • https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting


    • Published: Fri Jun 26 14:44:57 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us