StrikeShark Campaign Uses Novel SharkLoader Malware to Deliver Cobalt Strike Across Multiple Sectors
Kaspersky uncovered StrikeShark, a campaign deploying the new SharkLoader malware to deliver Cobalt Strike Beacon via exploits targeting Exchange, Openfire, GeoServer, and other internet-facing applications.
Kaspersky researchers have uncovered a previously undocumented malware family, dubbed SharkLoader, at the center of a broad campaign they are tracking as StrikeShark. The campaign, first detected during an investigation into a diplomatic organization in Indonesia, has since expanded to target government entities, software development firms, and other organizations across at least ten countries, including Taiwan, Colombia, Lebanon, Syria, and Nepal. SharkLoader functions as a loader designed to deploy Cobalt Strike Beacon on compromised systems, enabling the threat actor to conduct post-exploitation activities such as lateral movement, data exfiltration, and persistent access.
The threat actor gains initial access primarily by exploiting vulnerabilities in internet-facing applications. Kaspersky observed the use of exploits for CVE-2021-26855 (ProxyLogon) on Microsoft Exchange, CVE-2023-32315 on Openfire, and CVE-2024-36401 on GeoServer, among others. Additional vulnerabilities targeted include those affecting Apache Shiro (CVE-2016-4437), Hikvision products (CVE-2021-36260), Microsoft SharePoint (CVE-2021-27076), Zimbra Collaboration Suite (CVE-2022-27925), Microsoft Exchange Server (CVE-2022-41082), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2024-21762 and CVE-2022-40684), Cisco IOS XE Web UI (CVE-2023-20198), and React Server Components (CVE-2025-55182). The researchers assess with medium confidence that the actor relies on publicly available proof-of-concept exploits, as all identified vulnerabilities have public exploit code available on platforms like GitHub.
Following exploitation, the attacker establishes persistence by deploying webshells on compromised servers. Although the webshell files themselves were not recovered, observed command execution strongly indicates their use. In one case, the attacker copied the legitimate Windows application SystemSettings.exe to a new directory and executed it, abusing it as part of a DLL sideloading chain to launch SharkLoader hidden in a malicious SystemSettings.dll library. The attacker also used directory names mimicking security product vendors, such as "KasperskyLab," to appear legitimate. In some instances, the actor distributed SharkLoader through custom dropper executables masquerading as legitimate software installers, including Google Update and Cisco AnyConnect, though the exact delivery mechanism for these droppers remains unknown.
The victimology of StrikeShark is notably diverse, spanning diplomatic, government, and software development organizations across multiple regions. Kaspersky identified victims in Indonesia, Taiwan, Colombia, Hong Kong, Lebanon, Syria, North Macedonia, Nepal, Serbia, and other countries. The broad geographic and sectoral spread suggests an opportunistic campaign rather than a narrowly targeted one. One IP address associated with the campaign's command-and-control infrastructure was also observed conducting internet-wide scanning, likely to identify and exploit vulnerable systems at scale.
Attribution for StrikeShark remains preliminary. The operators use several open-source post-compromise tools associated with Chinese-speaking developers, but Kaspersky found no direct code reuse, infrastructure overlap, or operational similarity to confidently link the activity to any known advanced persistent threat (APT) group or cybercrime gang. The campaign's ultimate objectives are still under investigation, though the use of Cobalt Strike Beacon points toward espionage or data theft as likely goals.
The discovery of SharkLoader adds to the growing ecosystem of malware loaders used to deliver Cobalt Strike, a legitimate penetration testing tool frequently abused by threat actors. The campaign's reliance on publicly available exploits and its broad victim set highlight the importance of patching known vulnerabilities in internet-facing applications, particularly those with public exploit code. Organizations running Microsoft Exchange, Openfire, GeoServer, or any of the other affected products should prioritize applying available security updates and monitoring for signs of webshell deployment or unusual DLL sideloading activity.
Kaspersky has released indicators of compromise (IoCs) and detection rules for the StrikeShark campaign, enabling defenders to identify SharkLoader infections. The researchers continue to monitor the activity and will provide updates as more information becomes available. The campaign serves as a reminder that even unsophisticated threat actors can achieve broad impact by chaining together publicly available exploits and open-source tools.