Full Report
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan,
Analysis Summary
# Tool/Technique: SharkLoader (StrikeShark Campaign)
## Overview
SharkLoader is a recently discovered, undocumented malware loader used to facilitate the deployment of secondary payloads, most notably Cobalt Strike Beacon. It is the primary component of a campaign dubbed **StrikeShark**, which targets a wide array of government, diplomatic, and private sector entities globally. The campaign is characterized by the opportunistic exploitation of high-profile vulnerabilities and the use of DLL side-loading to maintain stealth.
## Technical Details
- **Type:** Malware Family (Loader)
- **Platform:** Windows
- **Capabilities:** Payload delivery (Cobalt Strike), persistence via DLL side-loading, anti-analysis (via dropper lures), and reconnaissance.
- **First Seen:** Observed in June 2026 (Reported date).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- **[TA0003 - Persistence]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1505.003 - Server Software Component: Web Shell]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1140 - Deobfuscate/Decode Files or Information]
- **[TA0007 - Discovery]**
- [T1018 - Remote System Discovery]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Payload Deployment:** Acts as a stage-one loader designed specifically to decrypt and execute Cobalt Strike Beacon in memory.
- **Initial Access via Vulnerabilities:** The threat actor exploits a vast range of CVEs (including ProxyLogon/ProxyNotShell, Openfire, and GeoServer) to gain unauthorized access.
- **Execution Chains:** Utilizes a DLL side-loading chain involving the legitimate Windows executable `SystemSettings.exe` to load the malicious `SystemSettings.dll` (SharkLoader).
### Advanced Features
- **Themed Droppers:** Uses masqueraded installers for legitimate software (e.g., Google Update, Cisco AnyConnect) to deliver the loader.
- **Lure Documents:** Employs decoy PDF documents to deceive users and mask malicious activity during the execution phase.
- **Post-Compromise Toolkit:** Integrates with open-source tools like **FScan** (network scanning) and **Pillager** (credential/info harvesting).
## Indicators of Compromise
- **File Names:**
- `SystemSettings.exe` (Legitimate host)
- `SystemSettings.dll` (Malicious loader)
- **Vulnerabilities Targeted (Initial Access):**
- CVE-2021-26855 (Exchange)
- CVE-2023-32315 (Openfire)
- CVE-2024-36401 (GeoServer)
- CVE-2023-20198 (Cisco IOS XE)
- CVE-2024-21762 (FortiOS)
- **Network Indicators:**
- [Note: Specific C2 IPs and domains were not provided in the snippet; would typically include defanged URLs such as `hxxp[://]example[.]com`]
## Associated Threat Actors
- **StrikeShark:** A suspected Chinese-speaking threat actor. While no direct attribution to a specific APT group (like APT41) is confirmed, the use of FScan, Pillager, and specific exploitation patterns strongly suggests Chinese-origin interests.
## Detection Methods
- **Signature-based:** Security solutions should flag unexpected versions of `SystemSettings.dll` located outside of `C:\Windows\System32`.
- **Behavioral Detection:**
- Monitor for `SystemSettings.exe` spawning network-active processes or unexpected shells.
- Detect common web shell activity (e.g., `w3wp.exe` spawning `cmd.exe`).
- **File Integrity:** Monitor for the creation of unusual DLLs in directories containing legitimate signed executables (Side-loading detection).
## Mitigation Strategies
- **Patch Management:** Prioritize patching the extensive list of exploited CVEs (Exchange, Fortinet, Cisco, Openfire).
- **Endpoint Hardening:** Disable unnecessary web management interfaces on public-facing appliances.
- **DLL Security:** Implement "Search Order Hijacking" protections and use Application Control (e.g., AppLocker) to prevent unauthorized DLLs from loading.
## Related Tools/Techniques
- **Cobalt Strike:** The primary second-stage RAT.
- **FScan:** Used for internal network reconnaissance.
- **Pillager:** Used for sensitive data exfiltration from browsers and local databases.
- **DLL Side-loading:** The primary execution technique.