A newly identified cyberattack campaign, dubbed StrikeShark, is leveraging a previously undocumented malware loader called SharkLoader to deploy Cobalt Strike Beacon implants on compromised systems. Security researchers report that the campaign has been observed targeting a wide range of victims, including diplomatic entities in Indonesia, government agencies in Taiwan, and software development companies across multiple regions in Asia, Europe, and the Middle East.
The attack chain varies depending on the intrusion path, but commonly begins with exploitation of known vulnerabilities in internet-facing systems such as Microsoft Exchange, Openfire, GeoServer, Fortinet, and Cisco products. In some cases, attackers also rely on malicious installers or fake application updates disguised as trusted software like Google Update or Cisco AnyConnect. Once executed, these droppers install SharkLoader, which acts as the primary staging mechanism for further payload delivery.
SharkLoader uses advanced DLL sideloading techniques, including a method referred to as “Perfect DLL Hijacking,” to bypass Windows loading protections and inject malicious code into legitimate processes. The loader decrypts and executes additional components that ultimately deploy Cobalt Strike Beacon in a suspended thread, enabling stealthy command-and-control operations. Researchers also observed the use of API hooking frameworks like Microsoft Detours and MinHook to evade memory-based detection techniques.
Although the campaign does not yet show clear signs of large-scale data exfiltration, analysts believe its behavior is consistent with cyber espionage activity. The combination of broad targeting, exploitation of public vulnerabilities, and post-compromise reconnaissance tools suggests a flexible operation capable of both opportunistic intrusion and longer-term intelligence gathering.
