StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
The StrikeShark campaign utilizes a novel malware family named SharkLoader to deploy Cobalt Strike Beacons across various global sectors. Threat actors gain initial access by exploiting known vulnerabilities in public-facing applications or distributing custom droppers disguised as legitimate software. SharkLoader employs advanced evasion techniques, including Perfect DLL Hijacking and extensive API hooking, to bypass loader locks and conceal its execution in memory.
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- domainconnect-microsoft[.]comThreat Actor C2 domain
- domainms-record[.]comThreat Actor C2 domain
- domainms-record[.]topThreat Actor C2 domain
- domainms-tray[.]topThreat Actor C2 domain
- filenameDscCoreR.muiEncrypted module containing embedded Cobalt Strike Beacon
- filenameSyncRes.datEncrypted DLL used to install multiple API hooks
- filenameSystemSettings.dllMain malicious SharkLoader DLL responsible for core loader functionality
- md51f65544978b8ea0e745e573b8ee9684bSharkLoader Dropper (Lebanon campaign)
- md524fcebdeecba65004fdb0923763d74fdSharkLoader Dropper (Taiwan campaign)
- md59c872a0d5d5a38950e8b9ac9b488be3fSharkLoader DLL
- md59cbd560f820c95d7c38342cd558cb5c6Encrypted file (SyncRest.dat)
- md5a514d1bb62d7916475946fe7c07ac0aaEncrypted file (DscCoreR.mui)
- md5aa3086be652c8b20b0b29b2730d57119SharkLoader DLL (SystemSettings.dll)
- md5b3352b42432dedc4a519f011dc8b5d5aSharkLoader Dropper
- md5c559cc68986933200fd5d9e4388e2f58SharkLoader Installer
- md5d98f568496512e4f98670c61c97cb07aLegitimate SystemSettings.exe abused for sideloading
Detection / HunterGoogle
What Happened
Cybersecurity researchers have uncovered a new cyberattack campaign called StrikeShark that targets organizations worldwide, including government and software companies. The attackers break into networks by exploiting unpatched internet-facing servers or tricking users into opening fake software installers and PDFs. Once inside, they use a new hidden tool called SharkLoader to sneakily install a backdoor known as Cobalt Strike, which lets them steal passwords and explore the network. Organizations should ensure their internet-facing systems are fully updated and monitor for unusual activity involving system files.
Key Takeaways
- A new campaign dubbed StrikeShark uses a previously undocumented loader, SharkLoader, to deploy Cobalt Strike Beacons.
- Initial access is achieved through opportunistic exploitation of public-facing applications (e.g., Exchange, Openfire) and custom droppers using legitimate software lures.
- SharkLoader employs 'Perfect DLL Hijacking' to bypass the Windows loader lock and safely execute malicious threads.
- The malware uses extensive API hooking via Microsoft Detours and MinHook to evade detection, spoof parent processes, and hide memory allocations.
- Post-exploitation activities involve open-source tools commonly associated with Chinese-speaking developers, such as FScan, Searchall, and Pillager.
Affected Systems
- Windows OS
- Microsoft Exchange Server
- Microsoft SharePoint
- Openfire Server
- GeoServer
- Apache Shiro
- Hikvision Products
- Zimbra Collaboration Suite
- F5 BIG-IP
- Fortinet FortiOS
- Cisco IOS XE
Vulnerabilities (CVEs)
- CVE-2021-26855
- CVE-2023-32315
- CVE-2024-36401
- CVE-2016-4437
- CVE-2021-36260
- CVE-2021-27076
- CVE-2022-27925
- CVE-2022-41082
- CVE-2023-46747
- CVE-2024-21762
- CVE-2025-55182
- CVE-2022-40684
- CVE-2023-20198
Attack Chain
The attack begins with the exploitation of public-facing applications or the execution of custom droppers disguised as legitimate software. Once initial access is achieved, the threat actor drops SharkLoader components and copies a legitimate Windows executable (like SystemSettings.exe) to a new directory to facilitate DLL sideloading. SharkLoader executes, bypassing the Windows loader lock using 'Perfect DLL Hijacking', and decrypts subsequent stages (DscCoreR.mui and SyncRes.dat) in memory. These stages install extensive API hooks to evade detection and spoof parent processes before finally injecting and executing a Cobalt Strike Beacon.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but offers behavioral indicators, command lines, and IOCs suitable for custom rule creation.
Detection Engineering Assessment
EDR Visibility: High — EDRs can detect the copying of legitimate binaries to unusual directories, scheduled task creation, registry run key modifications, and LSASS/NTDS dumping commands. However, the API hooking and loader lock bypass may blind some user-land EDR hooks. Network Visibility: Medium — Network visibility can catch initial exploitation of public-facing apps and Cobalt Strike C2 traffic, but the internal loader mechanisms are host-based. Detection Difficulty: Hard — The malware uses advanced evasion techniques like Perfect DLL Hijacking, direct syscalls via jitasm, and extensive API hooking (including ETW patching and memory protection toggling during sleep) to hide its behavior from security tools.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- File Creation (Sysmon Event ID 11)
- Scheduled Task Creation (Event ID 4698)
- Registry Modification (Sysmon Event ID 12/13)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for legitimate Windows binaries (e.g., SystemSettings.exe) executing from unusual directories like %APPDATA% or C:\ProgramData, which may indicate DLL sideloading preparation. | Process Creation, File Creation | Execution / Persistence | Low |
| Monitor for the creation of scheduled tasks running as SYSTEM that execute binaries from user profile directories or C:\ProgramData. | Scheduled Task Creation | Persistence | Low |
| Hunt for instances of Procdump64.exe or ntdsutil.exe being executed with command-line arguments associated with credential dumping (e.g., 'ac i ntds' or '-ma lsass.exe'). | Process Creation | Credential Access | Medium |
Control Gaps
- User-land EDR hooks may be bypassed by the malware's use of direct syscalls (jitasm) and ETW patching.
- Memory scanners may miss the Cobalt Strike beacon due to the Sleep hook temporarily changing memory protections to RW.
Key Behavioral Indicators
- SystemSettings.exe running from %APPDATA% or C:\ProgramData
- Scheduled tasks named with long SID-like strings (e.g., OneDrive Standalone Update Task-S-1-5-21...)
- Creation of files with .mui, .dat, or .etl extensions in %APPDATA% alongside copied legitimate executables.
False Positive Assessment
- Low. The specific combinations of copied legitimate binaries, custom encrypted file extensions (.mui, .dat), and specific scheduled task names are highly indicative of this campaign.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Search endpoint telemetry for the provided file hashes, domains, and unusual executions of SystemSettings.exe.
- If your EDR supports host isolation, consider isolating systems exhibiting signs of SharkLoader infection or Cobalt Strike activity.
Infrastructure Hardening
- Ensure all public-facing applications (Exchange, SharePoint, Openfire, GeoServer, etc.) are patched against known vulnerabilities.
- Evaluate whether network segmentation can be improved to limit lateral movement if a public-facing server is compromised.
User Protection
- Consider implementing application control to prevent the execution of unapproved binaries from user profile directories (%APPDATA%, %TEMP%).
- If applicable, restrict the use of administrative tools like ntdsutil.exe and Procdump64.exe to authorized personnel only.
Security Awareness
- Educate users on the risks of downloading software installers or opening PDF documents from untrusted sources, even if they appear to be legitimate tools like Cisco AnyConnect.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1134.004 - Access Token Manipulation: Parent PID Spoofing
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1003.003 - OS Credential Dumping: NTDS
- T1053.005 - Scheduled Task/Job: Scheduled Task
Additional IOCs
- File Hashes:
24FCEBDEECBA65004FDB0923763D74FD(MD5) - SharkLoader Dropper (Taiwan campaign)AA3086BE652C8B20B0B29B2730D57119(MD5) - SharkLoader DLL (SystemSettings.dll)A514D1BB62D7916475946FE7C07AC0AA(MD5) - Encrypted file (DscCoreR.mui)9CBD560F820C95D7C38342CD558CB5C6(MD5) - Encrypted file (SyncRest.dat)1F65544978B8EA0E745E573B8EE9684B(MD5) - SharkLoader Dropper (Lebanon campaign)D98F568496512E4F98670C61C97CB07A(MD5) - Legitimate SystemSettings.exe abused for sideloading
- Registry Keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFUpdate- Registry Run key created for persistence
- File Paths:
%APPDATA%\xwreg- SharkLoader working directory where components are dropped%APPDATA%\xgdf- SharkLoader working directory where components are droppedC:\ProgramData\SystemSettings.exe- Copied legitimate executable for DLL sideloadingC:\ProgramData\KasperskyLab\SystemSettings.exe- Copied legitimate executable for DLL sideloading using vendor decoy folderC:\ADriveLogs_Logs\SystemSettings.exe- Copied legitimate executable for DLL sideloading
- Command Lines:
- Purpose: Copy legitimate SystemSettings.exe for DLL sideloading | Tools:
cmd.exe| Stage: Installation |copy SystemSettings.exe C:\ProgramData\ - Purpose: Create scheduled task for persistence | Tools:
schtasks.exe| Stage: Persistence - Purpose: Add registry run key for persistence | Tools:
reg.exe| Stage: Persistence - Purpose: Dump LSASS memory for credential theft | Tools:
Procdump64.exe| Stage: Credential Access |Procdump64.exe -accepteula -ma lsass.exe - Purpose: Dump NTDS database for AD credentials | Tools:
ntdsutil.exe| Stage: Credential Access |ntdsutil "ac i ntds" "ifm" "create full - Purpose: Enumerate AD group members | Tools:
powershell.exe| Stage: Discovery |Get-ADGroupMember -Identity
- Purpose: Copy legitimate SystemSettings.exe for DLL sideloading | Tools:
- Other:
GoogleUpdateStepup.exe- Filename of SharkLoader dropperAnyConnect-win-4.10.04071-predeploy-k9exe- Filename of SharkLoader dropperAutoUpdate.exe- Filename of SharkLoader dropperGameInputInboxs32.mui- Alternative filename for encrypted SharkLoader modulediagerr.xml- Alternative filename for encrypted SharkLoader moduleNtfsLog.etl- Alternative filename for encrypted SharkLoader moduleIgnored.Dat- Alternative filename for encrypted SharkLoader moduleVistaCompat.nls- Alternative filename for encrypted SharkLoader module