A previously undocumented malware dropper called SharkLoader is behind a multi-country hacking operation that has hit government agencies and software development firms in at least nine countries, Kaspersky researchers said this week. The company has published technical details of a campaign it is tracking as StrikeShark, and the write-up frames it as a hybrid of targeted intrusions and opportunistic scanning. The disclosure lands as a near-textbook case of a campaign built on public flaws, with the oldest vulnerability in the list dating to 2016 and each one carrying a public exploit.
The investigation began with an attack on a diplomatic organization in Indonesia and quickly expanded to government bodies in Taiwan, software developers in multiple countries, and additional entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The victimology, the open-source tooling, and the geographic spread point to what the researchers describe as “a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region.”
Public Flaws Power the Entry Points
StrikeShark’s operators reach victims through two distinct entry routes. The first is exploitation of known vulnerabilities in internet-facing applications, every one of which has working public proof-of-concept code already circulating. The second is malware-laced droppers that impersonate legitimate software installers.
The vulnerability list is unusually long for a single campaign, and it is unusually old. The earliest entry, CVE-2016-4437 in Apache Shiro, was disclosed in 2016. The most recent, CVE-2025-55182 in React Server Components, was disclosed in 2025. On the Indonesian diplomatic network, the attackers walked in through CVE-2021-26855, the ProxyLogon flaw in Microsoft Exchange; in Taiwan, software developers were hit via CVE-2023-32315 in Openfire; in Colombia, the entry point was CVE-2024-36401 in GeoServer. Kaspersky’s GReAT team assessed with medium confidence that the operators lean on public proof-of-concept exploits rather than develop their own, the published report on the StrikeShark disclosure notes, and one IP address tied to the campaign’s command-and-control infrastructure was seen conducting internet-wide scanning “potentially aimed at identifying and exploiting vulnerable internet-facing systems at scale.” The dropper-based route is a quieter story, dressed up in the look of software an employee would actually open: filenames observed in the wild include GoogleUpdateStepup.exe, AnyConnect-win-4.10.04071-predeploy-k9exe, AutoUpdate.exe, and 319-pfd-8001-reva_traitement biologique_master.zip.
| CVE | Product | Type |
|---|---|---|
| CVE-2016-4437 | Apache Shiro | Remote Code Execution |
| CVE-2021-26855 | Microsoft Exchange (ProxyLogon) | Remote Code Execution |
| CVE-2021-27076 | Microsoft SharePoint | Remote Code Execution |
| CVE-2021-36260 | Hikvision Products | Remote Code Execution |
| CVE-2022-27925 | Zimbra Collaboration Suite | Remote Code Execution |
| CVE-2022-40684 | Fortinet FortiOS | Authentication Bypass |
| CVE-2022-41082 | Microsoft Exchange Server | Remote Code Execution |
| CVE-2023-20198 | Cisco IOS XE Web UI | Authentication Bypass |
| CVE-2023-32315 | Openfire | Remote Code Execution |
| CVE-2023-46747 | F5 BIG-IP system | Remote Code Execution |
| CVE-2024-21762 | Fortinet FortiOS | Remote Code Execution |
| CVE-2024-36401 | GeoServer | Remote Code Execution |
| CVE-2025-55182 | React Server Components | Remote Code Execution |
How SharkLoader Loads Cobalt Strike on a Host
Once on a host, SharkLoader hands off to one of two outcomes: a webshell dropped after exploitation, or the dropper’s own DLL-sideloading chain. In both cases the payload rides on the back of a legitimate Windows binary. The recurring trick, observed in detail in the full technical write-up of the SharkLoader campaign, is to copy SystemSettings.exe out of C:\Windows\ImmersiveControlPanel into a new directory, plant a malicious SystemSettings.dll next to it, and run the legitimate executable so Windows loads the malicious DLL.
In some intrusions, the working directory was named after security vendors. The threat actor “used security product vendor names as the directory names, allegedly to appear legitimate,” including paths like C:\ProgramData\KasperskyLab. Other variants of the loader lean on different side-loading targets: msedge.dll next to Microsoft Edge, PrintDialog.dll, or miracastview.dll. The variants are functionally interchangeable and share the same end goal of running the loader under the cover of a signed Microsoft binary.
SharkLoader’s own components are layered. The malicious SystemSettings.dll does the core loader work, including a “perfect DLL hijacking” technique to escape the Windows loader lock; it decrypts and reflectively loads an encrypted module called DscCoreR.mui, which itself contains the embedded Cobalt Strike Beacon and the MinHook library. A second encrypted module, SyncRes.dat, installs a long list of API hooks via Microsoft Detours, covering VirtualAlloc, Sleep, CreateProcess*, GetProcAddress, and a set of syscall-level redirections built with jitasm, used for PPID spoofing, ETW suppression, and toggling memory protections on the fly.
The malware uses different ciphers for each module. DscCoreR.mui is decrypted with Blowfish using a key embedded in the loader; SyncRes.dat is decrypted with AES-128 using a key and IV stored in the module header. Neither PE image carries an MZ header, so both files sit in memory in forms that scan tools do not recognize on disk. Persistence rides on two scheduled tasks, one running every five minutes for long-term footholds, the other running every second for roughly 1.5 seconds before deleting itself, leaving the first task to survive reboots.
The Post-Exploitation Playbook in Practice
Once SharkLoader’s Cobalt Strike beacon is running, the attacker has a commercial, off-the-shelf foothold rated for remote access and lateral movement. Kaspersky observed the operators dumping credentials from Windows memory through LSASS and NTDS, then using the results to enumerate the rest of the domain. The work that follows is reconnaissance, not bulk data theft: account discovery, privilege mapping, and quiet movement through the network.
The toolkit is a familiar set of open-source offensive security tools developed by Chinese-speaking developers on GitHub:
- FScan, an intranet scanner.
- Searchall, a credential and sensitive file searcher.
- Pillager, a post-exploitation reconnaissance tool.
- SharpGPOAbuse, a tool for abusing Group Policy Objects.
The use of off-the-shelf tooling is part of why the campaign blends into the noise defenders see from a long list of actors. To stay hidden, SharkLoader’s modules disguise themselves as ordinary Windows system files, ride on a signed Microsoft binary, and disable the security logging that defenders rely on to detect intrusions. Defenders hunting for this campaign should look for the SystemSettings.exe side-loading chain in non-standard directories, the SystemSettings.dll write to %APPDATA%\xwreg or %APPDATA%\xgdf, and the scheduled-task pattern. The same indicators should also be cross-referenced with sudden changes to scheduled task names, since the dropper creates two of them: one that runs every five minutes and one that runs every second for roughly 1.5 seconds.
Attribution Remains Unclear, and Confidence Stays Low
Kaspersky has not named a country, a region, or linked StrikeShark to any known hacking group. The post-exploitation tools are Chinese-language on GitHub, but the researchers call that “not a strong indicator” of the attackers’ own language or location.
The observed post-compromise activity is reconnaissance-heavy, and confidence in any single motive remains low. “Targeting of government and software development organizations may indicate a cyber-espionage objective, although our confidence remains low due to the limited post-compromise activity observed,” the report states. The same report also flags the alternative reading: “the attacker may also be opportunistically targeting vulnerable systems,” and the campaign’s “ultimate objectives are still under research.”
Software development firms are useful both as espionage targets in their own right, holding code repositories and signing keys, and as staging points for follow-on intrusions against the customers of that code. A recent supply chain attack on the npm package Mastra shows how that model looks when it succeeds against developers. A separate attack that briefly poisoned a popular JavaScript library fits the same profile. The open-source supply chain has become a familiar target for state-aligned attackers, with a single compromised package potentially reaching thousands of downstream users. Fareed Radzi, security researcher at Kaspersky GReAT, summed up the takeaway in the press release with a researcher’s full quote: “The StrikeShark campaign highlights the evolving threat landscape in which adversaries combine readily available attack tools with custom malware and advanced evasion techniques. The use of legitimate-looking lures and the exploitation of known vulnerabilities underscore the critical need for organizations to maintain rigorous patch management, robust endpoint detection and response, and comprehensive security awareness training for their employees.”
The two readings, espionage and opportunism, are not mutually exclusive, and the Kaspersky write-up leaves both open. That openness reflects how little of the post-compromise picture is in evidence today and how much the next round of intrusions could change the answer.
Why This Reckoning Has Been Building for Years
StrikeShark is not a zero-day campaign. Every CVE in the table above was disclosed, has public exploits with proof-of-concept code, and falls into a category defenders have been told to patch for years. The campaign’s reliance on long-disclosed bugs is the through-line that ties the operation together.
CVE-2016-4437 in Apache Shiro was disclosed in 2016. CVE-2021-26855 in Exchange, ProxyLogon, was the subject of mass exploitation waves within weeks of disclosure in March 2021. The list of products spans routers, mail servers, file sync, video surveillance, identity systems, and a JavaScript framework. The common thread is exposure to the internet, since none of these flaws depend on recent research.
The attacker does not need fresh exploits because the older ones still work on systems that were never patched or that were patched only after being compromised months or years earlier. Public proof-of-concept code on GitHub lowers the skill floor of an intrusion from “write a reliable exploit” to “run a public one.” The use of off-the-shelf open-source tools after a foothold is established means the operation blends into a category of activity defenders see from a long list of actors. A campaign this broad, with this much reliance on commodity tooling, looks like a long-running opportunistic program with espionage capability on the side. The same lack of focus also makes attribution harder, which is why Kaspersky’s confidence in motive and identity stays low. The report also notes that “the absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”
Frequently Asked Questions
What is the SharkLoader dropper?
SharkLoader is a previously undocumented malware family, named by Kaspersky’s Global Research and Analysis Team, that serves as a loader for Cobalt Strike Beacon on compromised Windows systems. It is built to ride on a legitimate Windows binary through DLL sideloading before injecting the beacon in memory.
How does the StrikeShark campaign break into organizations?
Attackers use two entry methods. The first is exploitation of known vulnerabilities in products from Microsoft, Fortinet, Cisco, F5, Zimbra, Apache, and Hikvision, with flaws as old as 2016. The second is droppers that masquerade as legitimate software such as Google Update and Cisco AnyConnect VPN installers, sometimes wrapped around decoy PDF documents. Observed filenames include GoogleUpdateStepup.exe, AnyConnect-win-4.10.04071-predeploy-k9exe, and 319-pfd-8001-reva_traitement biologique_master.zip.
Who is behind the StrikeShark campaign?
Kaspersky has not linked StrikeShark to any established hacking group. The post-exploitation tools used in the campaign were developed by Chinese-speaking developers on GitHub, but researchers note that is not a strong indicator of the attackers’ own language or location. The campaign’s ultimate objectives are still under research.
How many countries have been affected?
Kaspersky has confirmed victims in at least nine named countries, with a diplomatic organization in Indonesia as the entry point and government agencies in Taiwan among the most affected. The other named targets sit in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia, and the researchers caution that “elsewhere” is part of the same list, suggesting the country count is still growing.
What should organizations do to protect themselves?
Kaspersky recommends patching known vulnerabilities on internet-facing systems, using proven security solutions to detect and block malware droppers, training staff on cybersecurity awareness, and monitoring for the specific indicators tied to the SharkLoader infection chain, including the SystemSettings.exe side-loading pattern and the scheduled-task persistence mechanism. The full indicator list is published in the Securelist report.
