{"id":3831,"date":"2026-06-24T10:04:05","date_gmt":"2026-06-24T10:04:05","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/"},"modified":"2026-06-24T10:04:05","modified_gmt":"2026-06-24T10:04:05","slug":"strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/","title":{"rendered":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"introduction\">Introduction<\/h2>\n<p>During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named <strong>SharkLoader<\/strong>. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors.<\/p>\n<p>Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms.<\/p>\n<p>Beyond the diplomatic entity in Indonesia, we identified related activity targeting government organizations in Taiwan, software development companies across multiple countries, and entities in other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and more. The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region.<\/p>\n<p>For now, we are tracking this activity as <strong>StrikeShark<\/strong>. Although the operators utilize several open-source post-compromise tools associated with Chinese-speaking developers, we have not identified direct code reuse, infrastructure overlap, or operational similarity to confidently attribute the activity to any known APT or cybercrime group. As a result, attribution remains preliminary and the campaign\u2019s ultimate objectives are still under research.<\/p>\n<h2 id=\"initial-infection\">Initial infection<\/h2>\n<p>Our analysis of SharkLoader intrusions indicates that the threat actor employs multiple methods to gain initial access to victim environments. During our investigation, we observed two primary infection vectors: the exploitation of vulnerabilities in internet-facing applications and the deployment of custom dropper samples, some of which were disguised as legitimate software.<\/p>\n<h3 id=\"exploitation-of-public-facing-applications\">Exploitation of public-facing applications<\/h3>\n<p>In the incident affecting an Indonesian diplomatic entity, the threat actor exploited Microsoft Exchange vulnerabilities, including CVE-2021-26855 (ProxyLogon), to gain access to the target environment. Similar activity was observed in Taiwan, where software development organizations were compromised through exploitation of Openfire (CVE-2023-32315). In a separate incident affecting a Colombian organization, the threat actor exploited a GeoServer instance vulnerable to CVE-2024-36401.<\/p>\n<p>Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below:<\/p>\n<p><strong>Remote Code Execution (RCE)<\/strong><\/p>\n<ul>\n<li>Apache Shiro: CVE-2016-4437<\/li>\n<li>Hikvision Products: CVE-2021-36260<\/li>\n<li>Microsoft SharePoint: CVE-2021-27076<\/li>\n<li>Zimbra Collaboration Suite: CVE-2022-27925<\/li>\n<li>Microsoft Exchange Server: <a href=\"https:\/\/securelist.com\/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange\/108364\/\" target=\"_blank\" rel=\"noopener\">CVE-2022-41082<\/a><\/li>\n<li>F5 BIG-IP system: CVE-2023-46747<\/li>\n<li>Fortinet FortiOS: CVE-2024-21762<\/li>\n<li>React Server Components: <a href=\"https:\/\/securelist.com\/cve-2025-55182-exploitation\/118331\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-55182<\/a><\/li>\n<\/ul>\n<p><strong>Authentication Bypass<\/strong><\/p>\n<ul>\n<li>Fortinet FortiOS: CVE-2022-40684<\/li>\n<li>Cisco IOS XE Web UI: CVE-2023-20198<\/li>\n<\/ul>\n<p>As of the time of writing this article, we haven\u2019t obtained the exploits the attackers used. However, based on the vulnerabilities observed across multiple attacks, we assess with medium confidence that the threat actor primarily relies on publicly available proof-of-concept (PoC) exploits to gain initial access. All the vulnerabilities identified during our investigation have publicly available exploit code, including PoCs hosted on GitHub and other open-source platforms, suggesting the actor leverages existing offensive resources rather than develops custom exploit capabilities. The victim profile also indicates that the activity is largely opportunistic, affecting organizations across various industries, regions, and technology environments without a clear focus on a specific target set. Also, one of the IP addresses associated with the C2 domain was also observed conducting internet-wide scanning activity, potentially aimed at identifying and exploiting vulnerable internet-facing systems at scale.<\/p>\n<p>Following exploitation, the attacker established persistence on compromised servers through the deployment of webshells. Although we were unable to recover the webshell files, a series of commands whose execution we observed in our telemetry along with the detection records of webshells strongly indicate their use for post-exploitation activities.<\/p>\n<p>One of the earliest observed actions involved copying the legitimate Windows application <em>SystemSettings.exe<\/em> to a new location before executing it.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">cd C:WindowsImmersiveControlPanel\r\ncopy SystemSettings.exe C:ProgramData\r\ncd C:ProgramData\r\nSystemSettings.exe<\/pre>\n<p>This application was later abused as part of a DLL sideloading chain used to launch SharkLoader, which in this scenario was hidden in the malicious <em>SystemSettings.dll <\/em>library. We suspect that this DLL along with malicious encrypted files, which we\u2019ll describe further, was uploaded through the webshell to the same directory as <code>SystemSettings.exe<\/code>.<\/p>\n<p>In another case involving the exploitation of CVE-2021-27076, the threat actor launched <code>SystemSettings.exe<\/code> triggering the subsequent SharkLoader sideloading chain from different directories on the system, which suggests renewed operational activity in the victim environment. In some of the cases, they used security product vendor names as the directory names, allegedly to appear legitimate.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">cd C:ProgramDataKasperskyLab\r\ndir\r\n.SystemSettings.exe\r\ncd %APPDATA%\r\ndir\r\ncd kasperskylab\r\ndir\r\n.SystemSettings.exe<\/pre>\n<\/p>\n<h3 id=\"dropper-based-distribution\">Dropper-based distribution<\/h3>\n<p>In several observed cases, the threat actor distributed SharkLoader through custom dropper executables masquerading as legitimate software installers or applications such as Google Update and Cisco AnyConnect. However, the exact delivery mechanism used to distribute these droppers remains unknown.<\/p>\n<p>The observed dropper filenames include:<\/p>\n<ul>\n<li><code>GoogleUpdateStepup.exe<\/code><\/li>\n<li><code>AnyConnect-win-4.10.04071-predeploy-k9exe<\/code><\/li>\n<li><code>AutoUpdate.exe<\/code><\/li>\n<li><code>319-pfd-8001-reva_traitement biologique_master.zip<\/code><\/li>\n<\/ul>\n<p>In one of the samples we analyzed, the threat actor used a legitimate Cisco AnyConnect VPN installer as a lure. The custom dropper extracted zlib-compressed data embedded within its resource section, decompressed it into an MSI package, and wrote the file to <code>%APPDATA%reportsAnyConnect-win-4.msi<\/code>. The MSI package was a legitimate Cisco AnyConnect VPN installer, which was subsequently executed via the <code>ShellExecuteW<\/code> API, making the user believe the custom dropper was a legitimate application.<\/p>\n<p>While the Cisco AnyConnect installer was decompressed and executed, SharkLoader components were silently dropped into directories in %APPDATA% different from <code>%APPDATA%reports<\/code> in the background, executing the malware loader once the installation process completes.<\/p>\n<div id=\"attachment_120327\" style=\"width: 499px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-120327\" class=\"size-full wp-image-120327\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1.png\" alt=\"Malicious Cisco Secure Client installer\" width=\"489\" height=\"381\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1.png 489w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1-300x234.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1-449x350.png 449w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173558\/strikeshark-campaign1-359x280.png 359w\" sizes=\"(max-width: 489px) 100vw, 489px\"><\/a><\/p>\n<p id=\"caption-attachment-120327\" class=\"wp-caption-text\">Malicious Cisco Secure Client installer<\/p>\n<\/div>\n<p>In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file. However, not all samples employ this technique, as some droppers function solely as a delivery mechanism for SharkLoader without presenting any lure content.<\/p>\n<p>Among the samples analyzed, most droppers write the decoy PDF to a subdirectory named <code>aswerf<\/code> within the <code>%TEMP%<\/code> directory, while others save the document directly to <code>%TEMP%<\/code>.<\/p>\n<p>Analysing the sample shows the PDF files are stored within the dropper\u2019s resource section under the resource name <code>TELEMETRY<\/code> and are compressed with zlib. Upon execution, the dropper extracts and decompresses the embedded PDF, writes it to disk using the same filename as the dropper executable but with a <code>PDF<\/code> extension, and launches it via <code>cmd.exe \/c <\/code> to display the decoy document to the victim.<\/p>\n<p>The following are examples of PDF documents extracted and displayed by the droppers during the deployment of SharkLoader.<\/p>\n<div id=\"attachment_120342\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120342\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-scaled.png\" alt=\"Lure document 1. The document appears to be related to a biological treatment process and was produced by an engineering consultant\" width=\"2560\" height=\"1817\" class=\"size-full wp-image-120342\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-scaled.png 2560w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-300x213.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-1024x727.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-768x545.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-1536x1090.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-2048x1453.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-493x350.png 493w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-740x525.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-395x280.png 395w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24093439\/strikeshark-campaign-2-800x568.png 800w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\"><\/a><\/p>\n<p id=\"caption-attachment-120342\" class=\"wp-caption-text\">Lure document 1. The document appears to be related to a biological treatment process and was produced by an engineering consultant<\/p>\n<\/div>\n<div id=\"attachment_120329\" style=\"width: 573px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120329\" class=\"size-full wp-image-120329\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3.png\" alt=\"Lure Document 2. Translated title: Liquid Rocket Engine Design Program \" width=\"563\" height=\"731\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3.png 563w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3-231x300.png 231w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3-270x350.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23173840\/strikeshark-campaign3-216x280.png 216w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\"><\/a><\/p>\n<p id=\"caption-attachment-120329\" class=\"wp-caption-text\">Lure Document 2. Translated title: Liquid Rocket Engine Design Program<\/p>\n<\/div>\n<p>In one dropper sample, discovered on a machine located in Lebanon (MD5: 1F65544978B8EA0E745E573B8EE9684B), the dropper extracts and decompresses <code>SystemSettings.dll<\/code> from zlib-compressed data embedded within the binary and writes it to <code>%APPDATA%xwreg<\/code>. It also extracts and decompresses <code>DscCoreR.mui<\/code> and <code>SyncRest.dat<\/code> from resources named VAULTSVCD and <code>UMRDPRDAT<\/code>, respectively, and writes them to the same directory.<\/p>\n<div id=\"attachment_120330\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120330\" class=\"size-full wp-image-120330\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-scaled.png\" alt=\"The dropper extracts SystemSettings.dll from the binary and retrieves encrypted components from the resource section\" width=\"2560\" height=\"776\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-scaled.png 2560w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-300x91.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-1024x310.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-768x233.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-1536x466.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-2048x621.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-1154x350.png 1154w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-740x224.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-923x280.png 923w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23174214\/strikeshark-campaign4-800x243.png 800w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\"><\/a><\/p>\n<p id=\"caption-attachment-120330\" class=\"wp-caption-text\">The dropper extracts SystemSettings.dll from the binary and retrieves encrypted components from the resource section<\/p>\n<\/div>\n<p>The dropper then copies the legitimate <code>SystemSettings.exe<\/code> application from <code>C:WindowsImmersiveControlPanel<\/code> to the target location to facilitate DLL sideloading. Across other SharkLoader dropper samples analyzed, the malware components were observed being written to either <code>%APPDATA%xwreg or %APPDATA%xgdf<\/code>.<\/p>\n<h2 id=\"sharkloader-installation\">SharkLoader installation<\/h2>\n<p>SharkLoader is composed of multiple components that work together to load and execute the final implant, a Cobalt Strike Beacon.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Filename<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>SystemSettings.exe<\/td>\n<td>Legitimate Windows application abused for DLL side-loading of the<br \/>\nmalicious DLL SystemSettings.dll.<\/td>\n<\/tr>\n<tr>\n<td>SystemSettings.dll<\/td>\n<td>Main malicious SharkLoader DLL responsible for the core loader functionality.<\/td>\n<\/tr>\n<tr>\n<td>DscCoreR.mui<\/td>\n<td>An encrypted module that contains an embedded Cobalt Strike Beacon and the MinHook library. This module loads SyncRes.dat, installs a couple of API hooks, and executes the Beacon directly in memory.<\/td>\n<\/tr>\n<tr>\n<td>SyncRes.dat<\/td>\n<td>An encrypted DLL that is used to install multiple API hooks.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>While the majority of SharkLoader samples analyzed rely on the sideloading of <code>SystemSettings.dll<\/code>, other variants leverage alternative DLL side-loading targets, including <code>msedge.dll<\/code>, <code>PrintDialog.dll<\/code>, and <code>miracastview.dll<\/code>, each of them leveraging a corresponding legitimate application.<\/p>\n<p>Across the different variants examined, the encrypted modules were also observed using a variety of filenames, including:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">GameInputInboxs32.mui\r\ndiagerr.xml\r\nNtfsLog.etl\r\nIgnored.Dat\r\nVistaCompat.nls<\/pre>\n<p>The SharkLoader execution flow is as follows:<\/p>\n<div id=\"attachment_120339\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120339\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-scaled.png\" alt=\"SharkLoader infection chain observed in the StrikeShark campaign\" width=\"2560\" height=\"1650\" class=\"size-full wp-image-120339\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-scaled.png 2560w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-300x193.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-1024x660.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-768x495.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-1536x990.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-2048x1320.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-543x350.png 543w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-740x477.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-434x280.png 434w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24091405\/strikeshark-campaign-5-800x516.png 800w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\"><\/a><\/p>\n<p id=\"caption-attachment-120339\" class=\"wp-caption-text\">SharkLoader infection chain observed in the StrikeShark campaign<\/p>\n<\/div>\n<p>In the dropper-based infections, after deploying all required SharkLoader components, the dropper creates two scheduled tasks through the Windows Task Scheduler COM interfaces. Task names:<\/p>\n<ul>\n<li>OneDrive Standalone Update Task-S-1-5-21-4165425321-4153752593-2322023643-1000<\/li>\n<li>MicrosoftUpdateTaskUserS-1-5-32-2456537112-101246289-228944324-1000<\/li>\n<\/ul>\n<p>Both tasks are configured to execute the copied <code>SystemSettings.exe<\/code> from the malware\u2019s working directory (for example, <code>%APPDATA%xwreg<\/code> or <code>%APPDATA%xgdf<\/code>), triggering the side-loading of the malicious SharkLoader DLL.<\/p>\n<p>The first scheduled task uses a time-based trigger that executes every five minutes, providing long-term persistence.<\/p>\n<p>The second task is configured to execute every second, likely to ensure immediate execution of SharkLoader following deployment.<\/p>\n<p>After a delay of approximately 1.5 seconds, the dropper removes the second scheduled task by using the Task Scheduler COM interfaces, leaving the first task in place to maintain persistence on the system.<\/p>\n<h2 id=\"sharkloader-dll-main-implant\">SharkLoader DLL \u2013 Main implant<\/h2>\n<p>For the detailed analysis of the infection chain, we\u2019ll focus on the SharkLoader components deployed by a malicious dropper named <code>\u4e00\u79cd\u5f02\u5e38\u72b6\u51b5\u7684\u622a\u56fe\uff08\u5305\u62ec\u64cd\u4f5c\u7cfb\u7edf\u548c\u8f93\u5165\u6cd5\u7248\u672c\uff09.pdf.exe<\/code> (MD5: 24FCEBDEECBA65004FDB0923763D74FD), which was identified in a campaign targeting a government entity in Taiwan.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Filename<\/strong><\/td>\n<td><strong>MD5<\/strong><\/td>\n<\/tr>\n<tr>\n<td>SystemSettings.exe<\/td>\n<td>D98F568496512E4F98670C61C97CB07A<\/td>\n<\/tr>\n<tr>\n<td>SystemSettings.dll<\/td>\n<td>AA3086BE652C8B20B0B29B2730D57119<\/td>\n<\/tr>\n<tr>\n<td>DscCoreR.mui<\/td>\n<td>A514D1BB62D7916475946FE7C07AC0AA<\/td>\n<\/tr>\n<tr>\n<td>SyncRest.dat<\/td>\n<td>9CBD560F820C95D7C38342CD558CB5C6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"perfectdll-hijacking-technique\">\u201cPerfectDLL Hijacking\u201d technique<\/h3>\n<p>Once the malicious DLL is loaded, SharkLoader implements a technique commonly referred to as \u201cPerfect DLL Hijacking\u201d and originally described by a security researcher named Elliot Killick on his <a href=\"https:\/\/elliotonsecurity.com\/perfect-dll-hijacking\/\" target=\"_blank\" rel=\"noopener\">blog<\/a>. The purpose of this technique is to bypass the Windows loader lock and safely create a malicious thread via the <code>CreateThread<\/code> API without risking a deadlock.<\/p>\n<p>According to <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/dlls\/dynamic-link-library-best-practices\">Microsoft\u2019s Dynamic-Link Library Best Practices<\/a>, the Windows loader holds a synchronization object known as the \u201cloader lock\u201d while executing the DllMain function. This mechanism ensures that only one thread can perform DLL loading and initialization operations within a process at any given time. As a result, invoking APIs such as <code>CreateThread<\/code> or <code>LoadLibrary<\/code> from within <code>DllMain<\/code> can lead to deadlocks because the loader lock remains held throughout the execution of the function.<\/p>\n<p>To avoid this issue, SharkLoader manipulates the process\u2019s internal loader state to release the loader lock before invoking <code>CreateThread<\/code> from the <code>DllMain<\/code> execution path. By doing so, it attempts to execute its malicious code without triggering the loader-related deadlocks that can occur when threads are created while the loader lock remains held.<\/p>\n<div id=\"attachment_120332\" style=\"width: 726px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120332\" class=\"size-full wp-image-120332\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6.png\" alt=\"Implementation of the Perfect DLL Hijacking technique to bypass the Windows Loader Lock\" width=\"716\" height=\"467\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6.png 716w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6-300x196.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6-537x350.png 537w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175454\/strikeshark-campaign6-429x280.png 429w\" sizes=\"auto, (max-width: 716px) 100vw, 716px\"><\/a><\/p>\n<p id=\"caption-attachment-120332\" class=\"wp-caption-text\">Implementation of the Perfect DLL Hijacking technique to bypass the Windows Loader Lock<\/p>\n<\/div>\n<p>Based on the code, SharkLoader first resolves the addresses of several undocumented loader structures within <code>ntdll.dll<\/code>, including:<\/p>\n<ol>\n<li><code>LdrpLoaderLock<\/code>: the critical section object used by the Windows loader to synchronize module loading and initialization operations<\/li>\n<li><code>LdrpWorkInProgress<\/code>: an internal loader state variable that tracks whether module initialization is currently in progress<\/li>\n<\/ol>\n<p>After locating these structures, SharkLoader forcefully releases the loader lock by invoking <code>LeaveCriticalSection<\/code> on <code>LdrpLoaderLock<\/code>. It then decrements the value of <code>LdrpWorkInProgress<\/code> with <code>InterlockedDecrement64<\/code>, effectively marking the initialization process as complete.<\/p>\n<p>Finally, the malware signals the loader completion event via <code>SetEvent<\/code> before creating a new thread to execute its malicious functionality. As a result, these actions manipulate the loader\u2019s internal state and cause Windows to treat the DLL initialization process as having completed successfully. This allows SharkLoader to continue execution after forcefully releasing the loader lock, despite still operating from within the <code>DllMain<\/code> execution path.<\/p>\n<h3 id=\"decryption-and-loading-of-dsccorer-mui\">Decryption and loading of &gt;DscCoreR.mui<\/h3>\n<p>As shown in the previous section, the loader creates a new thread after escaping the Windows loader lock. This thread subsequently spawns a second thread responsible for decrypting and reflectively loading the encrypted file, <code>DscCoreR.mui<\/code>.<\/p>\n<p>The routine first reads the encrypted file into memory and extracts the first 16 bytes to use as the Blowfish decryption key. It then initializes the Blowfish cipher by using custom P-array and S-box constants embedded in the loader and decrypts the file in ECB mode with the extracted key. Once decryption is complete, the resulting PE file is reflectively loaded into memory and executed without being written to disk.<\/p>\n<div id=\"attachment_120333\" style=\"width: 876px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120333\" class=\"size-full wp-image-120333\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7.png\" alt=\"Structure of the encrypted DscCoreR.mui file containing the 16-byte Blowfish key bytes followed by the encrypted PE bytes\" width=\"866\" height=\"237\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7.png 866w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7-300x82.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7-768x210.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7-740x203.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23175840\/strikeshark-campaign7-800x219.png 800w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\"><\/a><\/p>\n<p id=\"caption-attachment-120333\" class=\"wp-caption-text\">Structure of the encrypted DscCoreR.mui file containing the 16-byte Blowfish key bytes followed by the encrypted PE bytes<\/p>\n<\/div>\n<p>The decrypted <code>DscCoreR.mui<\/code> file is a packed PE file with its MZ header removed, likely as an anti-analysis measure. After decryption, SharkLoader processes the PE image by parsing its headers, allocating memory for the image, mapping its sections, applying relocations, resolving imported functions, and setting the appropriate memory protections. Once the in-memory PE loading process is complete, the main loader, <code>SystemSettings.dll<\/code>, transfers execution to the entry point of the mapped image, which contains the packer stub.<\/p>\n<p>The stub then unpacks the protected code, invokes the DLL\u2019s <code>DllMain<\/code> function, and returns execution to <code>SystemSettings.dll<\/code>. Finally, <code>SystemSettings.dll<\/code> calls the exported function <code>SetUserProcessPriorityBoost<\/code> from the mapped DLL, triggering execution of the fully unpacked next-stage DLL.<\/p>\n<h2 id=\"dsccorer-mui-and-syncres-dat-dlls\">DscCoreR.mui and SyncRes.dat DLLs<\/h2>\n<p>Within the decrypted and unpacked <code>DscCoreR.mui<\/code> code, the malware proceeds to load and decrypt a second encrypted file, <code>SyncRes.dat<\/code>, before reflectively loading the resulting DLL into memory.<\/p>\n<p>The mapped DLL installs multiple API hooks by using Microsoft Detours, which will be discussed in the next section.<\/p>\n<p>After mapping and loading <code>SyncRes.dat<\/code> for API hooks, the DscCoreR.mui performs installation of the Vectored Exception Handler (VEH) and then creates a thread in a suspended state that is later used to execute the Cobalt Strike Beacon shellcode. Additionally, to facilitate additional API hooks, it decompresses and loads the <a href=\"https:\/\/github.com\/tsudakageyu\/minhook\" target=\"_blank\" rel=\"noopener\">MinHook<\/a> library and uses it to install hooks on the <code>VirtualAlloc<\/code> and Sleep APIs.<\/p>\n<p>The <code>DscCoreR.mui<\/code> then decompresses the Cobalt Strike Beacon shellcode into the memory region associated with the suspended thread and then the suspended thread is resumed, resulting in execution of the beacon.<\/p>\n<h3 id=\"decryption-and-loading-of-syncres-dat\">Decryption and loading of SyncRes.dat<\/h3>\n<p>To decrypt <code>SyncRes.dat<\/code>, the malware extracts a 16-byte AES-128 key and a 16-byte initialization vector (IV) directly from the file itself. The first 16 bytes of the file contain the AES key, while the subsequent 16 bytes contain the IV. The remaining file content consists of AES-encrypted data, which is decrypted using the extracted key and IV. Once decrypted, the resulting data reveals a PE image with its MZ header removed, similar to <code>DscCoreR.mui<\/code>.<\/p>\n<div id=\"attachment_120334\" style=\"width: 879px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120334\" class=\"size-full wp-image-120334\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8.png\" alt=\"Structure of the encrypted SyncRes.dat file showing the AES key, IV, and encrypted PE bytes\" width=\"869\" height=\"229\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8.png 869w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8-300x79.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8-768x202.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8-740x195.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/23180210\/strikeshark-campaign8-800x211.png 800w\" sizes=\"auto, (max-width: 869px) 100vw, 869px\"><\/a><\/p>\n<p id=\"caption-attachment-120334\" class=\"wp-caption-text\">Structure of the encrypted SyncRes.dat file showing the AES key, IV, and encrypted PE bytes<\/p>\n<\/div>\n<p>Similar to the decrypted <code>DscCoreR.mui<\/code> module, the decrypted <code>SyncRes.dat<\/code> file is also protected by an unknown custom packer. After decryption, the loader reflectively loads the PE image before transferring execution to the module\u2019s entry point.<\/p>\n<p>The entry point contains a packer stub responsible for unpacking the protected code in memory. Once the unpacking routine is complete, the malware invokes a specific exported function named <code>StartEngineData<\/code>, which serves as the primary execution routine of the third-stage DLL.<\/p>\n<p>Before continuing with the <code>DscCoreR.mui<\/code> analysis, we will first discuss <code>SyncRes.dat<\/code>.<\/p>\n<h3 id=\"syncres-dat-decrypted-dll-multiple-api-hooks\">SyncRes.dat decrypted DLL: Multiple API hooks<\/h3>\n<p>The decrypted and unpacked <code>SyncRes.dat<\/code> DLL is primarily responsible for installing multiple Windows API hooks by using the Microsoft Detours library. After attaching all detour hooks, it calls <code>DetourTransactionCommitEx<\/code> to apply them in one commit.<\/p>\n<p>The following table lists the hooked Windows APIs and their corresponding hook handler functions.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Hooked Windows APIs<\/strong><\/td>\n<td><strong>Detour function description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>CreateProcessA<\/td>\n<td>\n<ul>\n<li>Saves all original <code>CreateProcessA<\/code> parameters for use in the parent process (PPID) spoofing routine.<\/li>\n<li>Creates a new thread that executes the process creation routine responsible for PPID spoofing.\n<ul>\n<li>Falls back to the original <code>CreateProcessA<\/code> if the thread creation fails.<\/li>\n<\/ul>\n<\/li>\n<li>Identifies an svchost.exe process that has the same security context as the current SharkLoader process.<\/li>\n<li>Builds an extended startup attribute list to set the selected <code>svchost.exe<\/code> as the spoofed parent.<\/li>\n<li>Calls the original <code>CreateProcessA<\/code> with the modified parent attribute.<\/li>\n<\/ul>\n<p>As a result, any new process created by the current process (primarily from the Cobalt Strike beacon) is spawned under svchost.exe instead of the current module process.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>CreateProcessW<\/td>\n<td>\n<ul>\n<li>Saves all original <code>CreateProcessW <\/code> parameters for use in the PPID spoofing routine, which is executed through an APC-based mechanism rather than a dedicated thread compared to the <code>CreateProcessA<\/code> API hook.<\/li>\n<li>Schedules a delayed process creation (10 microseconds) through APC execution using <code>CreateWaitableTimerW <\/code> and SleepEx.\n<ul>\n<li>The timer callback performs the svchost.exe PPID spoofing logic, similar to the CreateProcessA spoofing routine.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>As a result, new processes created via <code>CreateProcessW<\/code> by the current process (primarily from the Cobalt Strike beacon) are launched under svchost.exe through an APC-based execution mechanism<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>OpenProcessToken<\/td>\n<td>\n<ul>\n<li>Once hooked, the malware initializes <a href=\"https:\/\/code.google.com\/archive\/p\/jitasm\/\">jitasm<\/a> to construct a direct syscall stub for <code>NtOpenProcessToken<\/code> at runtime.<\/li>\n<li>Invokes <code>NtOpenProcessToken<\/code> through the constructed direct syscall stub, redirecting the original API (<code>OpenProcessToken<\/code>) call flow.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>AdjustTokenPrivileges<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtAdjustPrivilegesToken<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>OpenProcess<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtOpenProcess<\/code><span style=\"font-family: inherit;font-size: inherit\"> syscall stub constructed by jitasm.<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>WriteProcessMemory<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtWriteVirtualMemory<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtCreateUserProcess<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtCreateUserProcess<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>LoadLibraryA<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a function that resolves LdrLoadDll API using a ROR13-based API hashing algorithm.<\/li>\n<li>Uses the original parameters to invoke LdrLoadDll directly.<\/li>\n<li>If LdrLoadDll resolution or invocation fails, uses <code>CreateTimerQueue<\/code> and <code>CreateTimerQueueTimer<\/code> to schedule a 10-millisecond delayed execution of the original LoadLibraryA, with CreateEventW used for synchronization.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>GetModuleHandleA<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a custom function that resolves the module base address through the following steps:\n<ul>\n<li>Enumerates loaded modules within the current process using <code>CreateToolhelp32Snapshot<\/code>, <code>Module32FirstW<\/code>, and <code>Module32NextW<\/code>.<\/li>\n<li>Compares each enumerated module name with the module name provided in the API parameter.<\/li>\n<li>Returns the module base address if a match is found.<\/li>\n<\/ul>\n<\/li>\n<li>Falls back to the original <code>GetModuleHandleA<\/code> API if the custom resolution routine fails.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>GetModuleHandleW<\/td>\n<td>\n<ul>\n<li>Similar approach to the <code>GetModuleHandleA<\/code> API hooks above.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>GetProcAddress<\/td>\n<td>\n<ul>\n<li>The original <code>GetProcAddress<\/code> parameters are passed to the hook handler.<\/li>\n<li>The hook handler computes a Murmur32 hash of the requested function name.<\/li>\n<li>The hook handler parses the module\u2019s PE structure and locates the export table.<\/li>\n<li>Each exported function name is hashed using the same Murmur32 algorithm and compared against the previously generated hash.<\/li>\n<li>If a hash match is found, the corresponding function address is returned. If no match is found, the call falls back to the original <code>GetProcAddress<\/code>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>LoadLibraryExA<\/td>\n<td>\n<ul>\n<li>The hook handler redirects the API call to its original address. In short, the hooked <code>LoadLibraryExA<\/code> calls the original <code>LoadLibraryExA<\/code> function.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>VirtualAllocEx<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtAllocateVirtualMemory<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>VirtualProtectEx<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtProtectVirtualMemory<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>VirtualProtect<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtProtectVirtualMemory<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>ResumeThread<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtResumeThread<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>GetThreadContext<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtGetContextThread<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>OpenThread<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtOpenThread<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtCreateThread<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtCreateThread<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtCreateThreadEx<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtCreateThreadEx<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtQueueApcThread<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtQueueApcThread<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtQueueApcThreadEx<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtQueueApcThreadEx<\/code> syscall stub constructed by jitasm.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>ExpandEnvironmentStringsA<\/td>\n<td>\n<ul>\n<li>The detour redirects the API to a custom function that creates a new thread. That thread executes a routine that calls the <code>ExpandEnvironmentStringsA<\/code> API.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>CreateFileMappingA<\/td>\n<td>\n<ul>\n<li>The detour redirects the API call to a custom function that creates a new thread. Within the thread, it initializes thread-pool and timer objects, sets a threadpool timer for 10 ms and a waitable timer for 0.1 ms, then calls <code>CreateFileMappingNumaA<\/code>.<\/li>\n<li>If thread creation fails, <code>CreateFileMappingNumaA<\/code> is called directly without creating a thread.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>MapViewOfFile<\/td>\n<td>\n<ul>\n<li>The detour redirects the API call to a custom function that creates a new thread. The thread runs a similar thread-pool and timer setup to the previous function, resolves <code>MapViewOfFileEx<\/code> via <code>GetProcAddress<\/code>, calls it with zeroed arguments, and stores the return value.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>UnmapViewOfFile<\/td>\n<td>\n<ul>\n<li>The detour redirects the API to a function that tries to run the unmap (same API) in a new thread.<\/li>\n<li>The thread creates an event and timer queue, schedules a callback after 10 ms to call <code>UnmapViewOfFile<\/code> and signal the event, then waits and cleans up.<\/li>\n<li>If thread creation fails, it calls <code>UnmapViewOfFile<\/code> directly.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtMapViewOfSectionEx<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtMapViewOfSectionEx<\/code> syscall stub constructed by <code>jitasm<\/code>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtCreateNamedPipeFile<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtCreateNamedPipeFile<\/code> syscall stub constructed by <code>jitasm<\/code>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtReadFile<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtReadFile<\/code> syscall stub constructed by <code>jitasm<\/code>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NtWriteFile<\/td>\n<td>\n<ul>\n<li>Redirects the API call to a direct <code>NtWriteFile<\/code> syscall stub constructed by <code>jitasm<\/code>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>EtwEventWrite<\/td>\n<td>\n<ul>\n<li>The detour redirects <code>EtwEventWrite<\/code> to a stub that always returns 1, which prevents ETW logging.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>EventWriteEx<\/td>\n<td>\n<ul>\n<li>The detour redirects <code>EventWriteEx<\/code> to a function that always returns 0, which prevents ETW logging.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>EventWrite<\/td>\n<td>\n<ul>\n<li>The detour redirects <code>EventWrite<\/code> to a function that always returns 0, which prevents ETW logging.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Upon completing the installation of API hooks via the decrypted <code>SyncRes.dat<\/code>, the <code>DscCoreR.mui<\/code> DLL proceeds with the remaining functions, which are discussed below.<\/p>\n<h3 id=\"veh-registration-and-access-violation-handling\">VEH registration and access violation handling<\/h3>\n<p>Following the installation of the API hooks, the malware registers a Vectored Exception Handler (VEH) to monitor exceptions generated during runtime. The handler specifically checks for access violation exceptions (<code>0xC0000005<\/code>). When such an exception occurs, it retrieves the faulting memory address from the exception record and calls <code>VirtualProtect<\/code> to restore read, write, and execute (<code>RWX<\/code>) permissions to the corresponding memory page before resuming execution.<\/p>\n<p>During our analysis, no access violations were observed. It is possible that this mechanism is intended to handle access violations that may occur under specific runtime conditions.<\/p>\n<h3 id=\"thread-creation-for-cobalt-strike-beacon-execution\">Thread creation for Cobalt Strike Beacon execution<\/h3>\n<p>The malware creates a new thread in a suspended state that is intended to execute the Cobalt Strike Beacon shellcode. The thread entry point is configured to point to a memory buffer that will later contain the beacon shellcode.<\/p>\n<p>At this stage, the buffer does not yet contain the actual Cobalt Strike Beacon shellcode. Instead, the thread is created in a suspended state so that the malware can prepare and inject the shellcode into the buffer before execution. Once the beacon payload has been written into the buffer, the malware resumes the suspended thread using the <code>ResumeThread<\/code> API, which triggers the execution of the Cobalt Strike beacon.<\/p>\n<h3 id=\"minhook-dll-api-hooking-and-cobalt-strike-beacon\">MinHook DLL, API hooking, and Cobalt Strike beacon<\/h3>\n<p>After creating the suspended thread for beacon execution, the malware decompresses a zlib-compressed MinHook PE file embedded within DscCoreR.mui. The MinHook library is used to install API hooks for the VirtualAlloc and Sleep functions. Once the MinHook DLL is decompressed and loaded into memory, the malware resolves the exported functions MH_Initialize and MH_CreateHook, which are then used to install hooks on the <code>VirtualAlloc<\/code> and Sleep APIs.<\/p>\n<p>After the hooks are installed, the malware invokes a function that decompresses a zlib-compressed Cobalt Strike Beacon shellcode embedded within the malware. The function first decompresses the shellcode into a temporary buffer and then allocates executable memory using <code>VirtualAlloc<\/code> with RWX permissions. The decompressed beacon is subsequently copied into the allocated memory region.<\/p>\n<p>Because the <code>VirtualAlloc<\/code> API has already been hooked at this stage, the hook handler captures the address and size of the allocated memory used to store the beacon shellcode. The hook records the addresses and sizes of the first three successful memory allocations and stores these values in global variables to track specific memory regions allocated during execution. These tracked regions are associated with memory buffers used by the Cobalt Strike Beacon during runtime.<\/p>\n<p>The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep, such as during beacon sleep intervals. It temporarily modifies the memory protection of the tracked allocation regions by using <code>VirtualProtect<\/code>, changing their protection to <code>PAGE_READWRITE (RW)<\/code> before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection of those regions to <code>PAGE_EXECUTE_READWRITE (RWX)<\/code>. This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques that identify executable (<code>RWX<\/code>) code regions in memory.<\/p>\n<p>Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.<\/p>\n<h2 id=\"persistence-mechanism\">Persistence mechanism<\/h2>\n<p>While the analyzed SharkLoader implant does not contain a built-in persistence mechanism especially when it comes to cases when it is dropped after the exploitation of a public-facing application, our investigations revealed that the threat actor employs several techniques to maintain access to compromised systems.<\/p>\n<p><strong>Registry Run key<\/strong>: In the incident that affected an organization in Hong Kong, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon. The following command was used:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun \/v \"MFUpdate\" \/t REG_SZ \/d \"$appdataIdentitiesSystemSettings.exe\" \/f<\/pre>\n<p>This technique allows the malware to automatically execute whenever the user logs in, ensuring persistent access.<\/p>\n<p><strong>Scheduled task<\/strong>: In the separate compromise that affected a diplomatic government entity in Indonesia, the attacker established persistence through a scheduled task configured to execute SharkLoader daily. The task, named <code>\"MicrosoftWindowsEdgeEdgeupdate\"<\/code>, was configured to run <code>C:ADriveLogs_LogsSystemSettings.exe<\/code> by using the following command:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">Schtasks \/create \/s \/u \"\" \/p \"\" \/ru \"SYSTEM\" \/tn \"MicrosoftWindowsEdgeEdgeupdate\" \/sc DAILY \/tr \"C:ADriveLogs_LogsSystemSettings.exe \/F\"<\/pre>\n<p>Running the task with SYSTEM privileges ensures that SharkLoader executes even if no user is logged in.<\/p>\n<h2 id=\"post-compromise-activity\">Post-compromise activity<\/h2>\n<p>Following initial compromise and persistence, the attacker engaged in extensive reconnaissance and credential theft activities.<\/p>\n<p><strong>System information enumeration<\/strong>: The attacker initially gathered basic system information by using the following commands:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">systeminfo\r\nipconfig \/all\r\ntasklist \/svc<\/pre>\n<p><strong>Post-exploitation tools<\/strong>: Our analysis revealed the use of several third-party post-exploitation tools, most of which are open-source and developed by Chinese-speaking developers. These tools included:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Tool name<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>FScan<\/td>\n<td>Network scanner tool with vulnerability<br \/>\nexploitation modules<\/td>\n<\/tr>\n<tr>\n<td>Searchall<\/td>\n<td>Sensitive information search tool<\/td>\n<\/tr>\n<tr>\n<td>Pillager<\/td>\n<td>Information gathering tool<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>We also detected the use of SharpGPOAbuse by the threat actor, a tool designed to modify Group Policy Objects within Active Directory environments.<\/p>\n<p><strong>Active Directory enumeration<\/strong>: In the compromise affecting a diplomatic government entity in Indonesia, the attacker used both Cobalt Strike and a webshell to enumerate the internal Active Directory environment. They executed a series of commands to gather information about the network, users, and groups:<\/p>\n<ul>\n<li><strong>Network information<\/strong>:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">ping -n\r\nnetstat -ano\r\narp -a\r\nnet share<\/pre>\n<\/li>\n<li><strong>User and group information<\/strong>:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">query user\r\nnslookup\r\nquser\r\nnet group \/domain<\/pre>\n<\/li>\n<li><strong>Specific group membership<\/strong>:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">powershell \"Get-ADGroupMember -Identity \"\" -Recursive | Select-Object Name, ObjectClass\"\r\ndsquery group -name \"\" | dsget group -members -expand | dsget user -samid -display -email\"\r\npowershell \"Get-ADGroupMember -Identity \"\" -Recursive | Where-Object { $_.ObjectClass -eq \"computer\" } | Select-Object Name, SamAccountName\"\r\npowershell -exec bypass -c \"Get-ADUser -Filter * -Prop * | select sAMAccountName\r\nnet group \"Domain Controllers\" \/domain\r\nnet group \"Enterprise Admins\" \/domain\r\nnet group \"Organization Management\" \/domain\r\nnet group \"domain admins\" \/domain<\/pre>\n<\/li>\n<li><strong>Process enumeration<\/strong>:\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">tasklist \/SVC | findstr $selfname.exe<\/pre>\n<\/li>\n<li><strong>Directory listing<\/strong>:<\/li>\n<\/ul>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">dir \\c$\r\ndir \\c$inetpub\r\ndir \\c$inetpubcusterr\r\ndir \\c$inetpubwwwroot<\/pre>\n<p><strong>Credential dumping<\/strong>: The attacker also attempted to dump credentials from the compromised machine by targeting both the LSASS process and the NTDS database file. The following commands were observed:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">ntdsutil \"ac i ntds\" \"ifm\" \"create full $temp\" q q\r\nProcdump64.exe -accepteula -ma lsass.exe $templsass.dmp<\/pre>\n<p>Dumping the LSASS process allows the attacker to extract in-memory credentials, while accessing the NTDS database enables retrieval of Active Directory account password hashes. This combination of techniques allows the attacker to obtain privileged credentials for lateral movement, privilege escalation, and deeper compromise.<\/p>\n<h2 id=\"victimology\">Victimology<\/h2>\n<p>The victimology observed in this campaign shows a combination of strategic and opportunistic characteristics. Confirmed victims include government-related entities, such as the ministry in Taiwan and the diplomatic organization in Indonesia, as well as software development companies in Taiwan, Lebanon, and Syria. Additional affected organizations were identified in Hong Kong, Colombia, Macedonia, Nepal, and Serbia.<\/p>\n<p>Targeting of government and software development organizations may indicate a cyber-espionage objective, although our confidence remains low due to the limited post-compromise activity observed, which primarily consisted of credential access, system reconnaissance, and lateral movement. The compromise of government and software development organizations could indicate an interest in gathering political intelligence or intellectual property.<\/p>\n<p>At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems. The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike\u2019s file operation and data exfiltration modules could be employed at a later stage.<\/p>\n<p>Although the full scope of the campaign is not yet known, the combination of targeted and opportunistic activity suggests it should continue to be closely monitored.<\/p>\n<h2 id=\"attribution\">Attribution<\/h2>\n<p>Our investigation reveals no code or infrastructure overlap linking SharkLoader to any existing threat actor at this time. The TTPs employed during the operation also do not align with those of known actors.<\/p>\n<p>However, analysis of the post-exploitation open-source tools used during the campaign revealed that several reconnaissance tools, including FScan, Searchall, and Pillager, were developed by individuals identified as Chinese speaking developers on GitHub.<\/p>\n<p>We assess StrikeShark to be a Chinese-speaking threat actor with low confidence. This assessment is based on limited indicators and should be considered preliminary. Further investigation is required to characterize this cluster more fully, and the possibility remains that other actors may also be utilizing these tools.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Our investigation discovered a previously undocumented intrusion cluster that we are tracking as StrikeShark. The StrikeShark campaign represents a sophisticated malware threat to entities worldwide. The use of SharkLoader to deploy Cobalt Strike, coupled with API hook installation to evade detection, demonstrates a significant level of technical expertise. The campaign\u2019s broad targeting across sectors and geographic regions suggests a potential focus on espionage or information gathering. While the precise objectives remain under investigation, the combination of targeting government entities and software developers warrants heightened vigilance.<\/p>\n<p>Given that our visibility is limited to incidents observed through Kaspersky telemetry, we suspect the actual number of compromises may be significantly higher and extend beyond these victims as the threat actor actively used several exploitations of public facing application.<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p>Additional information about this activity, including indicators of compromise, is available to customers of the <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-intelligence-reporting?icid=gl_sl_tip-lnk_sm-team_c09760866e96002e\" target=\"_blank\" rel=\"noopener\">Kaspersky Intelligence Reporting Service<\/a>. If you are interested, please contact <a href=\"mailto:intelreports@kaspersky.com\" target=\"_blank\" rel=\"noopener\">intelreports@kaspersky.com<\/a>.<\/p>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/c559cc68986933200fd5d9e4388e2f58\/?icid=gl_sl_opentip-lnk_sm-team_a002d0f31bf6806a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">C559CC68986933200FD5D9E4388E2F58<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Installer<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b3352b42432dedc4a519f011dc8b5d5a\/?icid=gl_sl_opentip-lnk_sm-team_15ea1b9cf75e9ab4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">B3352B42432DEDC4A519F011DC8B5D5A<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Dropper<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/24fcebdeecba65004fdb0923763d74fd\/?icid=gl_sl_opentip-lnk_sm-team_dee3d65cdfffa03a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">24FCEBDEECBA65004FDB0923763D74FD<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Dropper<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9c872a0d5d5a38950e8b9ac9b488be3f\/?icid=gl_sl_opentip-lnk_sm-team_e88f330069f22f08&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9C872A0D5D5A38950E8B9AC9B488BE3F<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SharkLoader DLL<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/aa3086be652c8b20b0b29b2730d57119\/?icid=gl_sl_opentip-lnk_sm-team_18669fc4a5c81cfc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">AA3086BE652C8B20B0B29B2730D57119<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SharkLoader DLL<br \/>\nA514D1BB62D7916475946FE7C07AC0AA\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Encrypted file<br \/>\n9CBD560F820C95D7C38342CD558CB5C6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Encrypted file<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/connect-microsoft.com\/?icid=gl_sl_opentip-lnk_sm-team_fa16b6bd1be6514a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">connect-microsoft[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ms-record.com\/?icid=gl_sl_opentip-lnk_sm-team_a28a4fabb3e09a8b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ms-record[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ms-record.top\/?icid=gl_sl_opentip-lnk_sm-team_17c1f4fc4087d9ce&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ms-record[.]top<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ms-tray.top\/?icid=gl_sl_opentip-lnk_sm-team_c5506aa711bb6c39&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ms-tray[.]top<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[575,90,1330,99,232,233,1332,1331,249,242,257],"tags":[91],"class_list":["post-3831","post","type-post","status-publish","format-standard","hentry","category-cobaltstrike","category-cybersecurity","category-dll-hijacking","category-malware","category-malware-descriptions","category-malware-technologies","category-sharkloader","category-strikeshark","category-targeted-attacks","category-vulnerabilities","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-24T10:04:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader\",\"datePublished\":\"2026-06-24T10:04:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\"},\"wordCount\":4838,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"CobaltStrike\",\"Cybersecurity\",\"DLL hijacking\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"SharkLoader\",\"StrikeShark\",\"Targeted attacks\",\"Vulnerabilities\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\",\"name\":\"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\",\"datePublished\":\"2026-06-24T10:04:05+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/","og_locale":"en_US","og_type":"article","og_title":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited","og_description":"Introduction During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-06-24T10:04:05+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader","datePublished":"2026-06-24T10:04:05+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/"},"wordCount":4838,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["CobaltStrike","Cybersecurity","DLL hijacking","Malware","Malware descriptions","Malware Technologies","SharkLoader","StrikeShark","Targeted attacks","Vulnerabilities","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/","name":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg","datePublished":"2026-06-24T10:04:05+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/24085803\/SL-StrikeShark-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/24\/strikeshark-investigating-a-new-campaign-delivering-cobalt-strike-through-sharkloader\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3831"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3831\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}