SharkLoader Malware Campaign Uses Fake Cisco AnyConnect and Google Update Installers to Deploy Cobalt Strike — Threadlinqs Intelligence
Threat ID: TL-2026-1101 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: StrikeShark · China · ESPIONAGE
A malware loader dubbed SharkLoader, part of a campaign cluster tracked as StrikeShark, is distributed via trojanized installers spoofing Cisco AnyConnect and Google Update as well as opportunistic
SharkLoader is a previously undocumented, multi-stage Windows malware loader used by a threat activity cluster tracked as StrikeShark to deliver Cobalt Strike Beacon against government, diplomatic, and software-development targets across Indonesia (the initial discovery point, a diplomatic organization), Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. StrikeShark uses two parallel initial-access paths: opportunistic exploitation of at least twelve publicly known vulnerabilities in internet-facing software (Microsoft Exchange ProxyLogon CVE-2021-26855, SharePoint CVE-2021-27076, Openfire CVE-2023-32315, GeoServer CVE-2024-36401, Apache Shiro CVE-2016-4437, F5 BIG-IP CVE-2023-46747, Fortinet FortiOS CVE-2024-21762 and CVE-2022-40684, Cisco IOS XE CVE-2023-20198, React Server Components/Next.js CVE-2025-55182 'React2Shell', Microsoft Exchange ProxyNotShell CVE-2022-41082, Zimbra Collaboration Suite CVE-2022-27925, and Hikvision IP camera/NVR firmware CVE-2021-36260), and dropper-based distribution through trojanized installers masquerading as Cisco AnyConnect VPN and Google Update, which display a legitimate decoy installer while silently staging SharkLoader components under %APPDATA%\xwreg, %APPDATA%\xgdf, or %APPDATA%\reports\AnyConnect-win-4.msi. Some droppers additionally embed decoy PDF documents themed around a liquid rocket engine design and a biological wastewater treatment process (staged under %TEMP%\aswerf) to convince targets the installer is benign, while alternate builds drop artifacts named GameInputInboxs32.mui, diagerr.xml, NtfsLog.etl, Ignored.Dat, and VistaCompat.nls to blend in with legitimate Windows files. Following initial exploitation of some of the public-facing vulnerabilities above, operators have also been observed deploying web shells for persistent access prior to pivoting to SharkLoader/Cobalt Strike deployment.
SharkLoader's core technique is DLL side-loading: it hijacks the legitimate Windows binary SystemSettings.exe (also staged from C:\Windows\ImmersiveControlPanel\, C:\ProgramData\, or C:\ADriveLogs_Logs\) to load a malicious SystemSettings.dll, which decrypts and loads two additional payloads -- DscCoreR.mui (Blowfish-ECB encrypted, containing the Cobalt Strike Beacon and the MinHook library) and SyncRes.dat (AES-128 encrypted, containing over 40 Microsoft Detours API hooks). The loader implements 'Perfect DLL Hijacking,' resolving undocumented ntdll.dll structures (LdrpLoaderLock, LdrpWorkInProgress) to manipulate the Windows loader's internal lock state and permit thread creation from within DllMain despite the active loader lock, bypassing conventional loader-lock safety checks. Alternate side-loading variants observed use msedge.dll, PrintDialog.dll, and miracastview.dll with their corresponding legitimate host applications.
Once loaded, SyncRes.dat's API hooks redirect CreateProcessA/W (capturing parameters for later parent-process-ID spoofing), VirtualAlloc/VirtualProtect and related memory APIs to direct NtAllocateVirtualMemory/NtProtectVirtualMemory syscalls generated via the jitasm JIT assembler library (bypassing userland hooks placed by security products), LoadLibrary/GetProcAddress resolution via ROR13 and Murmur32 API hashing, and stub out EtwEventWrite/EventWrite/EventWriteEx to blind Event Tracing for Windows. SharkLoader further registers a Vectored Exception Handler (VEH) to intercept deliberate access-violation (0xC0000005) faults and redirect execution flow, frustrating debuggers and static disassembly, and schedules payload continuation via APC-based delayed execution (CreateWaitableTimerW/SleepEx) rather than direct Sleep calls to frustrate sandbox and dynamic-analysis timeouts. A VirtualAlloc/Sleep hook pair tracks the first three memory allocations used for Beacon shellcode and toggles their protection from PAGE_EXECUTE_READWRITE to PAGE_READWRITE before each sleep cycle, restoring RWX afterward, defeating memory scanners that hunt for
Weaknesses (CWE)
CWE-918, CWE-502, CWE-22, CWE-94, CWE-288, CWE-787, CWE-306, CWE-284, CWE-798, CWE-78
Target sectors: government administration, diplomatic, softwaredevelopment, technology
Target regions: Southeast Asia, East Asia, South Asia, Middle East, Balkans, Latin America
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 44 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2021-26855, CVE-2021-27076, CVE-2023-32315, CVE-2024-36401, CVE-2016-4437, CVE-2023-46747, CVE-2024-21762, CVE-2022-40684, CVE-2023-20198, CVE-2025-55182, T1595, T1583, T1587, T1588, T1608, T1190, T1204, T1059, T1053, T1106