StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Kaspersky reports a previously undocumented malware family, SharkLoader, linked to a broader activity tracked as StrikeShark, which deploys Cobalt Strike Beacon on compromised systems. Initial access was observed by exploiting internet-facing products such as Microsoft Exchange (CVE-2021-26855) and Openfire (CVE-2023-32315), as well as other targets including CVE-2024-36401; the article also lists additional affected RCE/auth-bypass issues across multiple vendors (e.g., Apache Shiro CVE-2016-4437, Microsoft SharePoint CVE-2021-27076, Fortinet FortiOS CVE-2024-21762, Cisco IOS XE Web UI CVE-2023-20198). This matters because the activity combines public exploit code, webshell-based persistence, and DLL side-loading techniques to move quickly from intrusion to Cobalt Strike deployment across many countries and sectors.
Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors.…