Threat Advisory

SharkLoader Emerges As Stealthy Cobalt Strike Framework

Threat: Malware Campaign
Threat Actor Name: StrikeShark
Targeted Region: Global
Targeted Sector: Technology & IT, Government & Defense
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

An intrusion cluster tracked as StrikeShark is actively deploying a malware loader named SharkLoader to install Cobalt Strike Beacons within targeted networks. This threat group focuses on government entities, diplomatic organizations, and software development companies across Asia, Europe, the Middle East, and Latin America. By combining opportunistic exploitation of exposed infrastructure with custom droppers, the attackers aim to establish a persistent foothold for intelligence gathering. Their primary objectives appear to be system reconnaissance, credential theft, and lateral movement rather than immediate data destruction or financial extortion.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

An intrusion cluster tracked as StrikeShark is actively deploying a malware loader named SharkLoader to install Cobalt Strike Beacons within targeted networks. This threat group focuses on government entities, diplomatic organizations, and software development companies across Asia, Europe, the Middle East, and Latin America. By combining opportunistic exploitation of exposed infrastructure with custom droppers, the attackers aim to establish a persistent foothold for intelligence gathering. Their primary objectives appear to be system reconnaissance, credential theft, and lateral movement rather than immediate data destruction or financial extortion.[emaillocker id="1283"]

The attackers gain initial access by exploiting vulnerabilities in internet-facing applications or distributing malicious files disguised as legitimate software installers. Once inside, the malware uses DLL side-loading to execute code under the guise of trusted Windows processes. SharkLoader runs entirely in memory through multiple encrypted stages, employing reflective loading and direct system calls to evade detection. This method allows the operators to deploy Cobalt Strike Beacon without leaving traces on the disk, maintaining control through scheduled tasks while manipulating system APIs to hide their activity.

This campaign poses a significant risk because the malware operates entirely in memory, bypassing traditional file-based signature scans and complicating forensic analysis. The use of custom encryption and API hooking allows the threat actor to remain undetected for extended periods, facilitating deep network infiltration. Defenders should prioritize patching internet-facing applications immediately and rigorously monitor for suspicious process activity. Organizations must also maintain offline backups and employ behavioral analysis to detect anomalous memory usage or unexpected system modifications that indicate such stealthy intrusions.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Initial Access T1190 Exploit Public-Facing Application
Persistence T1053.003 Scheduled Task/Job Cron
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defense Evasion T1574.001 Hijack Execution Flow DLL Search Order Hijacking
Privilege Escalation T1055.001 Process Injection Dynamic-link Library Injection
Defense Evasion T1027.001 Obfuscated Files or Information Binary Padding
Credential Access T1003.001 OS Credential Dumping LSASS Memory
Credential Access T1003.003 OS Credential Dumping NTDS
Lateral Movement T1021.001 Remote Services Remote Desktop Protocol

REFERENCES:

The reports contain further technical details:
https://blog.polyswarm.io/sharkloader-emerges-as-stealthy-cobalt-strike-delivery-framework
https://cybersecuritynews.com/hackers-use-fake-cisco-anyconnect-and-google-update-installers/

[/emaillocker]
crossmenu