Kaspersky has documented the StrikeShark campaign, active in at least ten countries and targeting Indonesian diplomatic organizations, Taiwanese government agencies, and software companies. The significant finding is not technical sophistication but the persistence of risk: ProxyLogon, a 2021 vulnerability, remains an effective initial access vector in 2026. The publication on Thursday, June 24, 2026 confirms that exposed, unpatched assets continue to represent the path of least resistance for strategic attacks.
- SharkLoader is a new loader documented by Kaspersky to load Cobalt Strike Beacon in memory via a multi-stage chain.
- Initial access vectors include CVE-2021-26855 (ProxyLogon), CVE-2023-32315 (Openfire), CVE-2024-36401 (GeoServer), and droppers disguised as Google Update and Cisco AnyConnect.
- The loading chain exploits DLL sideloading of SystemSettings.exe with a malicious SystemSettings.dll, followed by DscCoreR.mui (encrypted Beacon + MinHook) and SyncRes.dat for API hooking.
- Kaspersky assesses with medium confidence that operators rely primarily on public PoCs rather than custom exploits.
The Geography of the Attack: Why the Target Is the Public Sector
Victims identified by Kaspersky analysis span Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and other countries. The geographic diversity crosses Asia, the Middle East, Southeast Europe, and Latin America: no regional correlation isolates the risk.
The profile of targeted organizations is equally varied. Indonesian diplomatic entities, Taiwanese government structures, software development firms: the only common denominator is the presence of internet-exposed applications with known vulnerabilities. The campaign demonstrates that initial access does not require specific high-profile targets, but simply visible and uncorrected attack surface.
How SharkLoader Works: The Technical Chain
SharkLoader employs a modular structure designed for in-memory execution and reduced forensic footprint. The entry point is DLL sideloading: a legitimate Windows executable, SystemSettings.exe, is copied from C:\Windows\ImmersiveControlPanel into a new directory alongside a malicious SystemSettings.dll. Exploiting the Windows DLL search order, the process loads the malicious library instead of the original.
SystemSettings.dll then triggers the loading of DscCoreR.mui, a file containing the Cobalt Strike Beacon payload and the MinHook library for API hooking. A third component, SyncRes.dat, installs the API hooks necessary to mask Beacon activity. The entire chain resolves to reflective in-memory execution, without the main payload touching disk in decrypted form.
Some droppers use PDF decoys as lures: documents on biological treatment and rocket engine design, likely aimed at targets with specific technical profiles. One sample is disguised as AnyConnect-win-4.10.04071-predeploy-k9.exe: it extracts a legitimate MSI to %APPDATA%\reports\ while installing SharkLoader components in dedicated subdirectories, documented as %APPDATA%\xwreg and %APPDATA%\xgdf.
"What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors"
— Kaspersky Securelist, StrikeShark analysis
Known Exploits, Strategic Results
The vectors documented by the analysis are vulnerabilities with publicly available proof-of-concepts for months or years. CVE-2021-26855, a component of the ProxyLogon chain on Microsoft Exchange, dates to March 2021. CVE-2023-32315 affects Openfire server, CVE-2024-36401 affects GeoServer. The source also cites CVE-2021-27076, with a CVSS score of 8.8 HIGH according to the National Vulnerability Database, in a related incident.
The choice of mature vulnerabilities does not indicate attacker error, but operational calculation: "we assess with medium confidence that the threat actor primarily relies on publicly available proof-of-concept (PoC) exploits to gain initial access," as Kaspersky reports. Development cost is near zero; the return is access to government and diplomatic networks. The lack of custom exploits suggests an actor with moderate resources but strong post-exploitation and lateral movement capabilities.
Persistence is established via post-exploitation webshells. The exact webshell was not recovered by the analysis: command traces remain, but not the source file. This limitation does not compromise the chain reconstruction, but leaves open the question of how many persistent access variants are in circulation.
Attribution: The Chinese Link and Its Uncertainty
Operators employ open-source post-compromise tools developed by Chinese-language authors, but the Kaspersky dossier explicitly states the limits of this trail. No infrastructure overlaps, code reuse, or operational patterns link StrikeShark to a known APT or cybercrime group. The technical statement is clear: confident attribution is not available.
An IP address associated with the command-and-control domain conducted large-scale internet scanning, suggesting systematic target reconnaissance rather than intelligence-based targeted selection. The source does not specify whether the campaign is still active at the time of publication, nor the exact start date of observed activity.
Why It Matters
The dossier does not document specific remediation measures for affected organizations. The source does not specify the nature of data exposed in verified compromises, nor the campaign's final objectives: intelligence gathering, espionage, preparation for future attacks remain unconfirmed hypotheses. The brief does not indicate whether preventive countermeasures beyond generic patching recommendations have been identified, which are not present in the technical analysis.
The StrikeShark campaign reprises a dynamic observed with increasing frequency: the separation between technical sophistication of the attack and simplicity of the initial vector. SharkLoader demonstrates skill in in-memory loading and evasion, but the entry point remains an unpatched Exchange server. The lesson concerns not the inevitability of advanced exploits, but the failure to close known surfaces in the public and diplomatic sectors.
The absence of independent sources corroborating the same campaign constitutes a methodological limitation: the analysis rests on the single Kaspersky publication, without external confirmation on the scale or timeline of events. The completeness of the victim list is likely underestimated, given the phrasing "and others" in the geographic count.
Sources
- https://securelist.com/strikeshark-campaign/120326/
- https://elliotonsecurity.com/perfect-dll-hijacking/
- https://securelist.com/cve-2025-55182-exploitation/118331/
Information is based on the cited source and current as of publication.