A newly identified cyberattack campaign, dubbed StrikeShark, has been observed deploying a previously undocumented malware known as SharkLoader to deliver Cobalt Strike Beacon on compromised systems. This campaign has targeted a diverse range of organizations, including a diplomatic entity in Indonesia, government bodies in Taiwan, and software development companies across multiple countries. Additional affected sectors are located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
The broad geographic reach and varied target set suggest that the campaign is not confined to a specific industry or region. While no direct links to known threat actors have been established, the use of open-source post-compromise tools like FScan and Pillager—commonly utilized by Chinese-speaking developers—indicates the involvement of a Chinese-speaking threat actor.
Exploitation of Known Vulnerabilities
The attackers have employed multiple initial access methods by exploiting known vulnerabilities in widely used software:
- Microsoft Exchange Server: Leveraging the ProxyLogon vulnerability (CVE-2021-26855) to target the Indonesian diplomatic entity.
- Openfire: Exploiting a path traversal vulnerability (CVE-2023-32315) to infiltrate Taiwanese software development organizations.
- GeoServer: Utilizing a critical remote code execution flaw (CVE-2024-36401) to compromise a Colombian organization.
Other exploited vulnerabilities include:
- Apache Shiro (CVE-2016-4437)
- Hikvision Products (CVE-2021-36260)
- Microsoft SharePoint (CVE-2021-27076)
- Zimbra Collaboration Suite (CVE-2022-27925)
- Microsoft Exchange Server (CVE-2022-41082), also known as ProxyNotShell
- F5 BIG-IP (CVE-2023-46747)
- Fortinet FortiOS (CVE-2024-21762)
- React Server Components (CVE-2025-55182)
- Fortinet FortiOS (CVE-2022-40684)
- Cisco IOS XE Web UI (CVE-2023-20198)
It is believed that the attackers are utilizing publicly available proof-of-concept exploits from platforms like GitHub to gain initial access opportunistically.
Deployment of SharkLoader
Upon gaining access, the attackers establish persistence by deploying web shells to initiate a DLL side-loading chain involving “SystemSettings.exe” to deliver SharkLoader (“SystemSettings.dll”). Another method involves using custom dropper executables disguised as legitimate software installers, such as Google Update and Cisco AnyConnect, which execute the malware loader upon completion of the installation process. Some droppers also employ decoy PDF documents to entice victims into opening the malicious file, while others function solely as delivery mechanisms without presenting any lure content.
Once loaded, SharkLoader employs a technique known as Perfect DLL Hijacking to execute malicious code while bypassing Windows Loader Lock, a system-wide lock held by the operating system.
The emergence of SharkLoader underscores the evolving tactics of cybercriminals who exploit known vulnerabilities and employ sophisticated techniques to infiltrate diverse targets. Organizations must remain vigilant, promptly apply security patches, and educate employees about the risks associated with opening unsolicited attachments or clicking on unknown links. The use of open-source tools by threat actors also highlights the need for comprehensive monitoring and threat intelligence to detect and mitigate such attacks effectively.
