Kaspersky researchers have uncovered a new malware family being used to break into diplomats, governments, and companies across more than a dozen countries. In research that began with an intrusion at a diplomatic organization in Indonesia, the team found a previously undocumented loader they named SharkLoader, whose job is to quietly deploy Cobalt Strike Beacon onto compromised systems. They are tracking the wider campaign as StrikeShark, detailed in their analysis by researcher Fareed Radzi.
What looked at first like an isolated case turned out to be broad. Beyond the Indonesian diplomatic entity, Kaspersky tied the activity to government organizations in Taiwan, software developers in several countries, and victims in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The mix of targets points to a wide-reaching operation rather than a focus on a single sector. Kaspersky stops short of naming a culprit: the operators lean on open-source tools associated with Chinese-speaking developers, but with no firm code, infrastructure, or operational overlap, attribution stays preliminary.
How they get in
The actor favors known, already-patched vulnerabilities in internet-facing software, and Kaspersky assesses with medium confidence that it mostly relies on public proof-of-concept exploits rather than custom ones. In Indonesia the entry point was Microsoft Exchange via CVE-2021-26855 (ProxyLogon); in Taiwan it was Openfire (CVE-2023-32315); in Colombia, a GeoServer flaw (CVE-2024-36401). The crew was also seen probing bugs in SharePoint, Zimbra, F5 BIG-IP, FortiOS, and Cisco IOS XE, and one of its C2 servers was caught scanning the internet at large for vulnerable systems. The lesson is familiar from espionage campaigns like Mustang Panda's operations: unpatched, exposed servers remain the easiest door in.
How the loader hides
Where SharkLoader stands out is stealth. The actor also spreads it through droppers disguised as legitimate installers, including a real Cisco AnyConnect VPN setup and fake Google Update tools, sometimes opening a decoy PDF to keep the victim calm. The loader rides in via DLL sideloading, abusing the legitimate Windows SystemSettings.exe to load a malicious SystemSettings.dll, a technique we have seen paired with Cobalt Strike before in APT10's attacks on Japanese firms. It then decrypts further stages with Blowfish and AES, reflectively loads them in memory so nothing extra touches disk, and uses a Perfect DLL Hijacking trick to safely spawn its thread without tripping the Windows loader lock. API hooks make any process the Cobalt Strike Beacon spawns appear to launch from a legitimate svchost.exe, frustrating defenders who hunt by parent-child process lineage. For background on running down this implant, see our guide to threat hunting Cobalt Strike infrastructure.
What you should do
Patch the internet-facing applications named above, prioritizing Exchange, SharePoint, Openfire, GeoServer, FortiOS, and Cisco IOS XE, and hunt for SystemSettings.exe or msedge.exe running from user-writable directories such as %APPDATA%. Suspicious scheduled tasks masquerading as OneDrive or Microsoft update jobs, and processes spawned under svchost.exe with unexpected lineage, are strong leads.
Selected indicators
SharkLoader dropper samples include MD5 1f65544978b8ea0e745e573b8ee9684b (recovered in Lebanon) and 24fcebdeecba65004fdb0923763d74fd (Taiwan government targeting). Associated component hashes and C2 details are in Kaspersky's report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.