The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SharkLoader Emerges as Stealthy Cobalt Strike Delivery Framework

Jul 2, 2026 9:31:24 AM / by The Hivemind

SHARKLOADER2026Verticals Targeted: Government, Diplomatic Organizations, Software Development
Regions Targeted: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia
Related Families: SharkLoader, Cobalt Strike

Executive Summary

Researchers have identified a previously undocumented malware loader named SharkLoader, used by an intrusion cluster tracked as StrikeShark to deploy Cobalt Strike Beacon against organizations across multiple countries and industries. The campaign has leveraged exploitation of vulnerable internet-facing applications alongside custom droppers disguised as legitimate software installers to establish initial access. Confirmed victims include government-related organizations, diplomatic entities, software development companies, and organizations in additional sectors spanning Asia, Europe, the Middle East, and Latin America.

Key Takeaways

  • Newly documented SharkLoader serves as a multi-stage malware loader that ultimately deploys Cobalt Strike Beacon entirely in memory.
  • Initial access relied on exploitation of vulnerable internet-facing applications, including Microsoft Exchange, SharePoint, Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra deployments.
  • The campaign also distributed malware through custom droppers masquerading as trusted software such as Cisco AnyConnect and Google Update.
  • SharkLoader employs layered encryption, reflective loading, API hooking, and memory evasion techniques to complicate detection and forensic analysis.
  • Observed victims include government-related organizations, diplomatic entities, software development companies, and organizations across multiple additional sectors worldwide.

The Activity

StrikeShark demonstrates a flexible intrusion methodology that combines opportunistic exploitation of exposed enterprise infrastructure with sophisticated post-compromise malware delivery. Rather than relying on a single intrusion vector, the operators exploited numerous publicly disclosed vulnerabilities affecting internet-facing enterprise applications while also distributing custom droppers disguised as legitimate software installers. Kaspersky researchers, who reported on SharkLoader, assess with medium confidence that the campaign primarily relies on publicly available proof-of-concept exploits instead of developing proprietary exploit capabilities, enabling the operators to compromise vulnerable organizations across a broad geographic footprint.

Once access has been established, SharkLoader abuses legitimate Windows applications to perform DLL side-loading, most commonly leveraging SystemSettings.exe to load a malicious SystemSettings.dll. Other observed variants employ alternative signed Windows executables and DLL names to achieve the same objective. This approach allows malicious code to execute under the guise of trusted Windows components while reducing the likelihood of detection through conventional signature-based defenses.

The loader consists of multiple encrypted stages that decrypt and execute entirely in memory before ultimately deploying a Cobalt Strike Beacon. SharkLoader incorporates reflective loading, custom encryption routines, packed payloads, and staged execution to minimize forensic artifacts and reduce visibility to endpoint security products. Kaspersky researchers also documented implementation of the "Perfect DLL Hijacking" technique, which manipulates internal Windows loader structures to safely create malicious threads while bypassing loader lock restrictions during DLL initialization.

Additional defensive evasion is achieved through extensive API hooking. SharkLoader redirects numerous Windows APIs to direct system calls generated at runtime, interferes with Event Tracing for Windows (ETW) logging, performs PPID spoofing, and dynamically modifies memory protections surrounding the embedded Cobalt Strike Beacon during sleep intervals. These techniques collectively reduce behavioral visibility while helping the malware evade memory-scanning technologies that look for executable memory regions.

Researchers observed multiple persistence mechanisms depending on the intrusion scenario, including scheduled tasks configured to execute every five minutes, registry Run keys, and manually created scheduled tasks operating with SYSTEM privileges. Following successful compromise, the operators conducted system reconnaissance, Active Directory enumeration, credential theft, LSASS dumping, and NTDS database extraction before leveraging Cobalt Strike and several open-source post-exploitation tools to facilitate lateral movement throughout victim environments.

Victimology

Confirmed victims include government-related organizations, diplomatic entities, software development companies, and organizations across multiple additional sectors. The concentration of compromises involving diplomatic organizations, government-related entities, and software development companies may indicate intelligence collection objectives. However, researchers emphasize that confidence remains low due to limited observed post-compromise activity, which primarily consisted of reconnaissance, credential access, and lateral movement rather than confirmed data exfiltration. The broad geographic distribution and opportunistic exploitation of vulnerable internet-facing systems also suggest the campaign is not narrowly focused on a single industry or region.

Intelligence Assessment

StrikeShark represents a capable intrusion cluster that combines mature post-exploitation tradecraft with broad exploitation of exposed enterprise infrastructure. The operators appear to rely heavily on publicly available offensive tooling while supplementing it with a custom malware loader that incorporates multiple evasion techniques designed to reduce detection opportunities.

The campaign also highlights the continued operational value of Cobalt Strike as a second-stage framework. Rather than developing an extensive custom implant ecosystem, the threat actor invested significant effort into stealthy delivery and execution mechanisms while relying on the mature capabilities of Beacon for post-compromise operations.

Current attribution remains appropriately conservative. Although several post-exploitation tools observed during the campaign were likely developed by Chinese-speaking developers, researchers identified no definitive code reuse, infrastructure overlap, or operational similarities sufficient to confidently associate StrikeShark with any previously tracked threat actor. As a result, the assessment that the operators may be Chinese-speaking remains low confidence.

Analyst Commentary

The emergence of SharkLoader demonstrates that threat actors continue to invest in increasingly sophisticated malware loaders while relying on proven post-exploitation frameworks such as Cobalt Strike. Rather than developing an entirely new implant ecosystem, StrikeShark appears to focus its innovation on stealthy execution, layered encryption, reflective loading, API hooking, and memory evasion techniques that complicate endpoint detection and forensic analysis. Coupled with widespread exploitation of known vulnerabilities affecting internet-facing enterprise applications and network appliances, this approach enables operators to compromise a diverse range of organizations by leveraging publicly available exploit resources against vulnerable systems.

For defenders, campaigns such as StrikeShark reinforce the importance of rapidly patching internet-facing enterprise applications and network appliances, monitoring for suspicious DLL side-loading activity, and hunting for behavioral indicators associated with in-memory malware execution rather than relying solely on static signatures. PolySwarm can provide additional visibility into newly emerging malware families, evolving loader techniques, malicious infrastructure, and related indicators that may not yet be broadly detected by traditional signature-based security controls.

IOCs

PolySwarm has a sample of an installer associated with this activity.

 

6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186c

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Cobalt Strike, malware loader, DLL sideloading, SharkLoader, StrikeShark

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts