{
  "name": "StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon",
  "slug": "strikeshark-a-new-campaign-involving-a-custom-sharkloader-and-cobalt-strike-beacon",
  "description": "A previously undocumented malware family named SharkLoader has been discovered delivering Cobalt Strike Beacon to targets worldwide. The threat actor deploys SharkLoader through exploitation of internet-facing applications including Microsoft Exchange, SharePoint, and Openfire Server, as well as through malicious droppers disguised as legitimate software. SharkLoader employs sophisticated techniques including Perfect DLL Hijacking to bypass Windows loader locks, multi-stage decryption using Blowfish and AES encryption, and extensive API hooking via Microsoft Detours and MinHook libraries. Victims include government entities and software development companies across Taiwan, Indonesia, Hong Kong, Lebanon, Syria, Colombia, Macedonia, Nepal, and Serbia. Post-compromise activities focus on Active Directory enumeration, credential dumping, and system reconnaissance. The campaign demonstrates both targeted and opportunistic characteristics, with potential cyber-espionage objectives, though attribution remains unc...",
  "published": "2026-06-24T13:38:55.399000+00:00",
  "created_at": "2026-06-24T18:16:47.603000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-24T18:16:47.603000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "api hooking",
    "cobalt strike",
    "credential dumping",
    "cve-2016-4437",
    "cve-2021-26855",
    "cve-2021-27076",
    "cve-2021-36260",
    "cve-2022-27925",
    "cve-2022-40684",
    "cve-2022-41082",
    "cve-2023-20198",
    "cve-2023-32315",
    "cve-2023-46747",
    "cve-2024-21762",
    "cve-2024-36401",
    "cve-2025-55182",
    "dll hijacking",
    "fscan",
    "government targeting",
    "pillager",
    "searchall",
    "sharkloader",
    "sharpgpoabuse",
    "software development",
    "southeast asia"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "0f41232f-5223-4ff8-bed1-fd2d835076a2",
        "name": "CVE-2021-36260"
      },
      {
        "id": "987fef83-3606-438e-b91f-565e80f16130",
        "name": "CVE-2023-46747"
      },
      {
        "id": "5a349666-ec3e-4b1f-95f4-f1f7042d9be1",
        "name": "CVE-2016-4437"
      },
      {
        "id": "b0b9baa3-f3b7-4f6b-8441-b772a4a7cfaf",
        "name": "CVE-2022-40684"
      },
      {
        "id": "c9c597e4-1f9f-4f66-b5e7-5e52b7ac6ad5",
        "name": "CVE-2022-41082"
      },
      {
        "id": "afe95401-eb38-4c06-9235-3f95e76ebf2b",
        "name": "CVE-2024-21762"
      },
      {
        "id": "bacb8b18-a6d0-4078-aaa1-1e3138dbf122",
        "name": "CVE-2023-20198"
      },
      {
        "id": "2a36373e-55e7-4a79-8a4b-8ec44ae59d31",
        "name": "CVE-2022-27925"
      },
      {
        "id": "5b213614-5900-4032-9db0-e08d9d0ca4fc",
        "name": "CVE-2024-36401"
      },
      {
        "id": "1c7365fc-dc25-4eb9-af39-65b680dd116e",
        "name": "CVE-2025-55182"
      },
      {
        "id": "4f8150ba-308a-4a7b-a864-c6016e1f8e0f",
        "name": "CVE-2021-26855"
      },
      {
        "id": "37fea8a0-b708-4914-95b0-3c36550f1c98",
        "name": "CVE-2023-32315"
      },
      {
        "id": "7277f845-7dff-4706-9586-fa89d84c936b",
        "name": "CVE-2021-27076"
      }
    ],
    "indicators": [
      {
        "id": "c3dccb9d-7346-4d42-b764-fee5d07ad82a",
        "name": "6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186c"
      },
      {
        "id": "c9df96f5-434d-4f2a-9a6a-86b07ca7b3bf",
        "name": "ms-record.com"
      },
      {
        "id": "594a4f09-c5ff-4ffc-a1a1-ed0b831d39d3",
        "name": "connect-microsoft.com"
      },
      {
        "id": "c241cdf0-d051-420b-81cb-5cf2cce30b1a",
        "name": "ms-tray.top"
      },
      {
        "id": "4ea9d887-1273-470e-b02f-3a1b037355a2",
        "name": "ms-record.top"
      }
    ],
    "attack_patterns": [
      {
        "id": "a706defa-5a99-4a26-b1be-ac6c1fc20b92",
        "name": "T1562.006"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab",
        "name": "T1087.002"
      },
      {
        "id": "5fad1837-fafc-4be9-808a-b6282e4c3c6b",
        "name": "T1003.003"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d",
        "name": "T1003.001"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7",
        "name": "T1069.002"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      }
    ],
    "malware": [
      {
        "id": "43704c7d-2b8b-409d-850c-c7f42e4a08e6",
        "name": "FScan",
        "slug": "fscan"
      },
      {
        "id": "76ac19b6-a62b-4c2b-af81-6bacbfe6d89e",
        "name": "SharpGPOAbuse",
        "slug": "sharpgpoabuse"
      },
      {
        "id": "ab138766-9b64-4880-87fb-1942a709d778",
        "name": "Cobalt Strike - S0154",
        "slug": "cobalt-strike-s0154"
      },
      {
        "id": "c3012159-6cc4-488b-92e1-6e74ceac1f6b",
        "name": "Searchall",
        "slug": "searchall"
      },
      {
        "id": "874f1ff2-a0b8-48a0-8080-3509f4cea827",
        "name": "Pillager",
        "slug": "pillager"
      },
      {
        "id": "d15e9273-7699-43e4-bc98-2e2225a90666",
        "name": "SharkLoader",
        "slug": "sharkloader"
      }
    ],
    "observables": [
      {
        "id": "892678b7-9255-4e23-9cdf-74e60399faa7",
        "name": "ms-record.top"
      },
      {
        "id": "37331146-c77b-47d2-96fe-a77ac09570a0",
        "name": "connect-microsoft.com"
      },
      {
        "id": "53175301-bf63-48bd-a811-abee9306b816",
        "name": "ms-tray.top"
      },
      {
        "id": "8c493d7b-863c-4205-9831-f72f850d1c05",
        "name": "ms-record.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "8bb5f1bc-72bf-4b4c-9707-536b2d6c31bd",
      "standard_id": "external-reference--7286c48e-efb0-505d-b661-bcb43379e750",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3bddeff7731f4be214a16d",
      "hash": null,
      "external_id": "6a3bddeff7731f4be214a16d",
      "created": "2026-06-24T18:16:46.274Z",
      "modified": "2026-06-24T18:16:46.274Z",
      "createdById": null
    },
    {
      "id": "84997741-f033-4dfb-a359-5e124a2c83e9",
      "standard_id": "external-reference--a252dd60-4337-55aa-b77f-01a8c563fbf8",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://securelist.com/strikeshark-campaign/120326/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-24T18:16:46.309Z",
      "modified": "2026-06-24T18:16:46.309Z",
      "createdById": null
    }
  ]
}