SharkLoader Malware Deploys Cobalt Strike Beacon via DLL Side-Loading in StrikeShark Campaign — Threadlinqs Intelligence
Threat ID: TL-2026-0961 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: Unknown (Chinese-speaking · ESPIONAGE
A previously undocumented loader malware dubbed SharkLoader, tracked by Kaspersky GReAT as the StrikeShark campaign, deploys Cobalt Strike Beacon against diplomatic missions, government agencies, and
The StrikeShark campaign, documented by Kaspersky's Global Research and Analysis Team (GReAT) in June 2026, centers on a custom-developed loader named SharkLoader. Initial discovery occurred during an incident response investigation of a compromised diplomatic organization in Indonesia; subsequent analysis expanded confirmed victims to nine countries: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. Targeted sectors include government agencies, diplomatic missions, and software development companies, consistent with an espionage-motivated operator.
SharkLoader's infection chain begins with exploitation of unpatched internet-facing services. The campaign uses at least thirteen distinct CVEs for initial access, covering a broad range of enterprise products: Microsoft Exchange (ProxyLogon CVE-2021-26855, ProxyNotShell CVE-2022-41082, SharePoint CVE-2021-27076), Fortinet FortiOS (CVE-2022-40684, CVE-2024-21762), Cisco IOS XE (CVE-2023-20198), F5 BIG-IP (CVE-2023-46747), Hikvision cameras (CVE-2021-36260), Zimbra (CVE-2022-27925), Openfire (CVE-2023-32315), GeoServer (CVE-2024-36401), Apache Shiro (CVE-2016-4437), and React Server Components (CVE-2025-55182). Publicly available PoC exploit code exists for all thirteen vulnerabilities. In addition to CVE exploitation, the threat actor uses custom dropper executables masquerading as legitimate software installers — notably a fake Cisco AnyConnect VPN installer (extracting to %APPDATA%\reports\AnyConnect-win-4.msi), fake Google Update packages, and decoy PDF documents (engineering blueprints, biological treatment guides) — to deliver SharkLoader in phishing scenarios.
SharkLoader's core evasion technique is 'Perfect DLL Hijacking,' exploiting the Windows DLL Loader Lock. The malicious SystemSettings.dll is sideloaded by the legitimate Windows binary SystemSettings.exe (copied from C:\Windows\ImmersiveControlPanel\). During DllMain execution — normally restricted by the Loader Lock from calling most APIs — SharkLoader employs a Loader Lock escape mechanism to safely spawn threads and execute its full payload decryption and injection logic. The loader decrypts two encrypted modules from disk: DscCoreR.mui (Cobalt Strike Beacon bundled with MinHook, encrypted with Blowfish ECB using a 16-byte key embedded in the file header with custom P-array and S-box constants) and SyncRes.dat (API hook installer compiled against Microsoft Detours, encrypted with AES-128 where the first 16 bytes are the key and bytes 17-32 are the IV). Both modules are decrypted and reflectively loaded entirely in-memory, leaving no Cobalt Strike binary on disk.
SyncRes.dat installs hooks on over 30 Windows API functions including VirtualAlloc, Sleep, EtwEventWrite, CreateProcessA/W, WriteProcessMemory, NtCreateUserProcess, NtCreateThread, NtCreateThreadEx, NtQueueApcThread, VirtualAllocEx, VirtualProtect, VirtualProtectEx, ResumeThread, GetThreadContext, GetModuleHandleA/W, GetProcAddress, LoadLibraryA, OpenProcess, OpenProcessToken, AdjustTokenPrivileges, and OpenThread. The VirtualAlloc and Sleep hooks defeat timing-based memory scanner heuristics, while the EtwEventWrite hook suppresses ETW event logging to blind endpoint detection tools. jitasm-based syscall-level redirections provide an additional layer of behavioral evasion. Cobalt Strike Beacon is injected into a suspended thread with Parent Process ID (PPID) spoofing to masquerade as svchost.exe, and execution is withheld until all hooks are active.
Persistence is achieved via three scheduled tasks and a registry Run key. Scheduled task 1 ('OneDrive Standalone Update Task-S-1-5-21-4165425321-4153752593-2322023643-1000') triggers every five minutes for long-term persistence; task 2 ('MicrosoftUpdateTaskUserS-1-5-32-2456537112-101246289-228944324-1000') fires every second immediately post-deployment and self-removes; task 3 ('\Microsoft\Windows\Edge\Edgeupdate') runs daily. The registry Run key (HKCU\SOFTWARE\Micro
Weaknesses (CWE)
CWE-918, CWE-22, CWE-78, CWE-502, CWE-287, CWE-94, CWE-434
Target sectors: government administration, diplomatic, software-development
Target regions: Asia, Middle East, Latin America, Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2021-26855, CVE-2023-32315, CVE-2024-36401, CVE-2016-4437, CVE-2021-36260, CVE-2021-27076, CVE-2022-27925, CVE-2022-41082, CVE-2023-46747, CVE-2024-21762, T1595, T1590, T1588, T1583, T1190, T1566, T1106, T1129, T1059, T1547