logo

StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader

ID: 50c06986-66f6-5a39-89b2-7b406d0902ac

STIX ID: report--50c06986-66f6-5a39-89b2-7b406d0902ac

Feed Name: Securelist by Kaspersky

Threat Score
80/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: Fareed Radzi

...
...

StrikeShark is a broad, multi-country intrusion cluster that uses a newly documented loader called SharkLoader to deploy Cobalt Strike beacons. The actor gains access by exploiting internet-facing application vulnerabilities (e.g., Microsoft Exchange ProxyLogon, Openfire, GeoServer) and via custom droppers masquerading as legitimate installers; SharkLoader employs advanced techniques including Perfect DLL Hijacking, encrypted in-memory stages, extensive API hooking (to bypass ETW and enable PPID spoofing), and scheduled tasks/registry keys for persistence. Confirmed victims span government and software development organizations across Asia, the Middle East, Europe, and the Americas; the report includes detailed IOCs and forensic artifacts and assesses the actor as a Chinese-speaking cluster with preliminary attribution.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.