Kaspersky has uncovered a new attack campaign dubbed StrikeShark, active in at least 10 countries, that employs a previously unknown malware loader: SharkLoader. The component leverages a DLL side-loading technique to execute malicious code while bypassing the Windows Loader Lock, an operating system protection mechanism. The discovery highlights how security research published in 2023 has been repurposed for offensive use.
- SharkLoader is a previously unknown malware loader identified by Kaspersky during analysis of an attack on a diplomatic organization in Indonesia
- The StrikeShark campaign has hit organizations in at least 10 countries: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and others
- The loader implements the "Perfect DLL Hijacking" technique, described by researcher Elliot Killick in October 2023, to execute code in the DllMain context while bypassing Windows Loader Lock restrictions
- Initial access vectors combine exploits of known vulnerabilities with publicly available PoC code and droppers disguised as legitimate installers
How SharkLoader's Loading Chain Works
SharkLoader implements a multi-stage chain that begins with DLL side-loading: a legitimate Windows application, SystemSettings.exe, loads a malicious DLL named SystemSettings.dll. The technical crux lies in the use of "Perfect DLL Hijacking," a technique that allows code execution in the DllMain context without running afoul of the restrictions normally imposed by the Windows Loader Lock.
The Loader Lock is an internal OS mechanism that synchronizes DLL loading operations, preventing dangerous actions during initialization. Bypassing it enables arbitrary code execution at a critical stage of the process loading sequence.
After bypassing the Loader Lock, SharkLoader decrypts and loads DscCoreR.mui, the module containing the final payload: Cobalt Strike Beacon. Execution occurs in a suspended thread, with API hooks installed via Microsoft Detours and MinHook to monitor VirtualAlloc and Sleep. This architecture allows the Beacon to be copied into memory and its execution suspended during scans, resuming only via ResumeThread. According to Kaspersky, "Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon."
Attack Vectors: Public Exploits and Targeted Social Engineering
StrikeShark operators have used two primary pathways for initial access. The first exploits vulnerabilities in internet-exposed enterprise applications, including Exchange Server, Openfire, GeoServer, SharePoint, Fortinet, Cisco, F5, Zimbra, Apache Shiro, and Hikvision. Specific vulnerabilities identified include CVE-2021-26855 (ProxyLogon), CVE-2021-27076, CVE-2023-32315 (Openfire), CVE-2024-36401 (GeoServer), and CVE-2022-41082 (ProxyNotShell). Kaspersky has verified that all these vulnerabilities have publicly available PoC code, including on GitHub, and assesses with "medium confidence" that the attackers rely primarily on public PoC exploits.
The second vector employs custom droppers disguised as legitimate installers: Google Update, Cisco AnyConnect VPN installer. Within the analyzed samples, Kaspersky extracted decoy PDFs with specific technical themes: documents on "liquid rocket engine design" and "biological treatment process," produced by engineering consultants. This level of customization indicates attention to content plausibility to induce execution.
"The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region" — Kaspersky
Targets and Geography: An Opportunistic Operation
The campaign's geographic distribution spans at least 10 countries: Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and others unspecified. The first documented detection by Kaspersky involves a diplomatic organization in Indonesia. Targets include government and diplomatic entities and software development firms, with varied sectors indicating an opportunistic rather than focused approach.
Persistence is maintained via Registry Run keys and scheduled tasks to trigger SystemSettings.exe.
Attribution Remains Preliminary
The operators have employed open-source post-compromise tools developed by Chinese-speaking developers, including FScan, Pillager, and Searchall. However, Kaspersky has identified no direct code reuse or infrastructure overlaps with documented campaigns. Attribution is explicitly defined as "preliminary" by the report: the language of the tools does not constitute proof of national attribution, and the absence of concrete evidence warrants caution regarding any link to a specific APT group.
No active data exfiltration has been observed in the analyzed systems. Final objectives remain unconfirmed, though the targeting suggests possible cyber espionage. Kaspersky notes that Cobalt Strike modules for file operations and exfiltration could be employed in later stages.
What Changes
The Loader Lock bypass represents a documented technical evolution: Killick's technique, published as legitimate research in 2023, is now employed in operational malware. For defense teams, this indicates that traditional controls on DLL loading during process initialization are insufficient to detect this specific variant.
The systematic use of decoy PDFs with specific technical content shows a level of social engineering preparation that goes beyond a generic approach. The combination of public PoC exploits and advanced evasion techniques suggests operators who integrate publicly available resources with targeted custom development.
The StrikeShark campaign also demonstrates how targeting diplomatic and government entities across diverse geographic areas does not necessarily imply a coordinated state operation: opportunistic distribution with a generic payload like Cobalt Strike Beacon can hit targets of interest to multiple actors.
Sources and Analysis Limitations
This analysis is based on the Kaspersky SecureList report as the sole structured primary source. The Hacker News and HelpNetSecurity journalistic sources corroborate specific elements but do not add independent technical analysis. The elliotonsecurity.com sources provide technical context on the Perfect DLL Hijacking technique and the Loader Lock mechanism, without directly mentioning SharkLoader.
Information is current as of the Kaspersky report's publication. Some operational details — including the exact dropper distribution mechanism, the campaign's full extent, and final objectives — are not documented in the primary source.
Sources
- The Hacker News — New SharkLoader Malware Deploys Cobalt Strike (Source 1)
- HelpNetSecurity — SharkLoader dropper targets governments, software developers (Source 2)
- Kaspersky SecureList — StrikeShark Campaign (Source 3, primary)
- Elliot on Security — Perfect DLL Hijacking (Source 6, technical context)
- Elliot on Security — What is Loader Lock (Source 7, technical context)
Information has been verified against cited sources and updated as of publication.
Sources
- https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html
- https://www.helpnetsecurity.com/2026/06/26/sharkloader-dropper-governments-software-developers/
- https://securelist.com/strikeshark-campaign/120326/
- https://elliotonsecurity.com/perfect-dll-hijacking/
- https://elliotonsecurity.com/what-is-loader-lock/
- https://gbhackers.com/microsoft-winre-vulnerability/amp/
- https://kb.cert.org/vuls/id/226679
- https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html