EXECUTIVE SUMMARY
An intrusion cluster tracked as StrikeShark is actively deploying a malware loader named SharkLoader to install Cobalt Strike Beacons within targeted networks. This threat group focuses on government entities, diplomatic organizations, and software development companies across Asia, Europe, the Middle East, and Latin America. By combining opportunistic exploitation of exposed infrastructure with custom droppers, the attackers aim to establish a persistent foothold for intelligence gathering. Their primary objectives appear to be system reconnaissance, credential theft, and lateral movement rather than immediate data destruction or financial extortion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
An intrusion cluster tracked as StrikeShark is actively deploying a malware loader named SharkLoader to install Cobalt Strike Beacons within targeted networks. This threat group focuses on government entities, diplomatic organizations, and software development companies across Asia, Europe, the Middle East, and Latin America. By combining opportunistic exploitation of exposed infrastructure with custom droppers, the attackers aim to establish a persistent foothold for intelligence gathering. Their primary objectives appear to be system reconnaissance, credential theft, and lateral movement rather than immediate data destruction or financial extortion.[emaillocker id="1283"]
The attackers gain initial access by exploiting vulnerabilities in internet-facing applications or distributing malicious files disguised as legitimate software installers. Once inside, the malware uses DLL side-loading to execute code under the guise of trusted Windows processes. SharkLoader runs entirely in memory through multiple encrypted stages, employing reflective loading and direct system calls to evade detection. This method allows the operators to deploy Cobalt Strike Beacon without leaving traces on the disk, maintaining control through scheduled tasks while manipulating system APIs to hide their activity.
This campaign poses a significant risk because the malware operates entirely in memory, bypassing traditional file-based signature scans and complicating forensic analysis. The use of custom encryption and API hooking allows the threat actor to remain undetected for extended periods, facilitating deep network infiltration. Defenders should prioritize patching internet-facing applications immediately and rigorously monitor for suspicious process activity. Organizations must also maintain offline backups and employ behavioral analysis to detect anomalous memory usage or unexpected system modifications that indicate such stealthy intrusions.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Persistence | T1053.003 | Scheduled Task/Job | Cron |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Defense Evasion | T1027.001 | Obfuscated Files or Information | Binary Padding |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Credential Access | T1003.003 | OS Credential Dumping | NTDS |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
REFERENCES:
The reports contain further technical details:
https://blog.polyswarm.io/sharkloader-emerges-as-stealthy-cobalt-strike-delivery-framework
https://cybersecuritynews.com/hackers-use-fake-cisco-anyconnect-and-google-update-installers/