216.73.216.86

StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon

· Published 24/06/2026 15:38

Export JSON

Essential information

Published
24/06/2026 15:38
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
api hooking cobalt strike credential dumping cve-2016-4437 cve-2021-26855 cve-2021-27076 cve-2021-36260 cve-2022-27925 cve-2022-40684 cve-2022-41082 cve-2023-20198 cve-2023-32315 cve-2023-46747 cve-2024-21762 cve-2024-36401 cve-2025-55182 dll hijacking fscan government targeting pillager searchall sharkloader sharpgpoabuse software development southeast asia
Related entities
13 vulnerabilities (cve), 5 indicators, 4 observables, 22 techniques (mitre), 6 malware

Description

A previously undocumented malware family named SharkLoader has been discovered delivering Beacon to targets worldwide. The threat actor deploys SharkLoader through exploitation of internet-facing applications including Microsoft Exchange, SharePoint, and Openfire Server, as well as through malicious droppers disguised as legitimate software. SharkLoader employs sophisticated techniques including Perfect to bypass Windows loader locks, multi-stage decryption using Blowfish and AES encryption, and extensive via Microsoft Detours and MinHook libraries. Victims include government entities and companies across Taiwan, Indonesia, Hong Kong, Lebanon, Syria, Colombia, Macedonia, Nepal, and Serbia. Post-compromise activities focus on Active Directory enumeration, , and system reconnaissance. The campaign demonstrates both targeted and opportunistic characteristics, with potential cyber-espionage objectives, though attribution remains unc...

External references