Over 10 countries hit, including a diplomatic organization in Indonesia and a government entity in Taiwan, with Cobalt Strike Beacon delivered via a new loader family called SharkLoader. Kaspersky's investigation (tracked as StrikeShark) shows the attackers exploiting ProxyLogon (CVE-2021-26855), Openfire (CVE-2023-32315), and GeoServer (CVE-2024-36401) for initial access, plus custom droppers disguised as Cisco AnyConnect and Google Update.
Infection Vectors: From ProxyLogon to Fake Installers
The attackers don't write zero-days. Every vulnerability exploited has public PoC code on GitHub: ProxyLogon, CVE-2021-27076 (SharePoint), CVE-2022-41082 (Exchange), CVE-2023-32315 (Openfire), and more. One C2 IP address conducted internet-wide scanning, confirming opportunistic targeting. After exploitation, they deploy webshells and use DLL sideloading with legitimate Windows SystemSettings.exe to load SharkLoader.
Dropper-based infections use lure documents like "Liquid Rocket Engine Design Program" and fake Cisco AnyConnect installers. The dropper extracts zlib-compressed SharkLoader components to %APPDATA%\xwreg or %APPDATA%\xgdf, then creates two scheduled tasks: one runs every 5 minutes, the other every second (quickly removed after 1.5 seconds) to force immediate execution.
Inside SharkLoader: Perfect DLL Hijacking and API Hooks
SharkLoader's SystemSettings.dll implements "Perfect DLL Hijacking" (originally detailed by Elliot Killick) to safely create threads from DllMain without deadlocking. It releases the loader lock via LeaveCriticalSction on LdrpLoaderLock and decrements LdrpWorkInProgress before spawning its malicious thread.
The decrypted DscCoreR.mui module (Blowfish-encrypted) reflectively loads SyncRes.dat (AES-128 encrypted), which installs 30+ API hooks using Microsoft Detours. Hooks include PPID spoofing for any new process (spawns under svchost.exe), direct syscall stubs for NtOpenProcessToken, NtWriteVirtualMemory, and ETW event suppression (EtwEventWrite always returns 1, EventWriteEx returns 0). Additionally, MinHook library hooks VirtualAlloc and Sleep to obscure Cobalt Strike Beacon memory regions by toggling protections between RWX and RW during sleep intervals.
Victimology and Attribution: Broad Reach, Low Confidence
Confirmed victims span government ministries, diplomatic entities, and software development companies in Indonesia, Taiwan, Lebanon, Syria, Hong Kong, Colombia, North Macedonia, Nepal, and Serbia. Post-compromise activity includes credential dumping via procdump against LSASS and ntdsutil for NTDS extraction, plus open-source reconnaissance tools like FScan, Searchall, and Pillager (developed by Chinese-speaking individuals on GitHub).
Attribution remains preliminary: no code or infrastructure overlap with known groups, only the tool origins suggest a Chinese-speaking threat actor. Kaspersky assesses StrikeShark as a Chinese-speaking actor with low confidence, noting the possibility of other groups using the same tools.
Given the reliance on publicly available exploits and widespread scanning, the actual compromise count likely exceeds Kaspersky's telemetry. This cluster is one to watch closely as it evolves.
Source: StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Domain: securelist.com
Comments load interactively on the live page.