SharkLoader malware is a newly found cyber tool that quietly breaks into government and diplomatic networks, then drops a powerful hacking program called Cobalt Strike Beacon. Security firm Kaspersky discovered it while looking into a breach at an Indonesian diplomatic body, and the trail quickly grew into a global operation now called StrikeShark.
What Is the SharkLoader Malware Campaign?
Researchers uncovered a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Cobalt Strike is a commercial tool used by security testers, but attackers have long abused it to keep remote access inside victim networks and move from machine to machine without being noticed.
Kaspersky first found the campaign while investigating an attack on a diplomatic organization in Indonesia. What initially looked like an isolated incident revealed a global operation they dubbed StrikeShark, due to the attackers’ use of a previously unknown dropper they named SharkLoader.
The campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
How Does SharkLoader Malware Get In?
The attackers use two main tricks to break into systems.
Exploiting Known Software Flaws
The list of exploited vulnerabilities spans flaws in products from Microsoft (SharePoint, Exchange Server), Fortinet (FortiOS), Cisco (IOS XE), F5 (BIG-IP), Zimbra, Apache (Shiro), and Hikvision. Threat actors are likely employing publicly available proof-of-concept exploits hosted on GitHub or other open-source platforms to gain initial access in an opportunistic manner. In plain words, if your servers have not been updated, they are an easy target.
Fake Software Installers and Decoy PDFs
Attackers disguise their malicious tools as trusted programs like Cisco AnyConnect and Google Update, tricking users into running them without suspicion. Once the file is executed, SharkLoader quietly installs itself in the background.
In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file. The PDF appears normal, keeping the victim busy while the malware sets itself up silently.
What Happens After the Infection?
Once SharkLoader is running, the attack moves fast. It installs a Cobalt Strike beacon, a commercial penetration-testing tool used for maintaining remote access and moving through networks. The threat actor then conducts extensive reconnaissance and credential theft, including dumping credentials from Windows memory and from Active Directory. Armed with those credentials, the attackers could potentially move freely through a victim’s entire network.
The malware itself is designed to stay hidden: it disguises its components as ordinary Windows system files, abuses a legitimate Windows application to load itself, and goes to great lengths to disable the security logging that defenders rely on to detect intrusions.
Specifically, the campaign hooks Windows event logging functions such as EtwEventWrite and EventWrite, forcing them to return empty values and blinding any monitoring tools that rely on system logs. This means standard antivirus and monitoring tools may see nothing wrong at all.
How Does SharkLoader Stay on the System?
The SharkLoader implant does not contain a built-in persistence mechanism, but the threat actor employs several techniques to maintain access to compromised systems.
- Registry Run key: In the Hong Kong incident, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon, automatically executing the malware whenever the user logs in.
- Scheduled task: In the Indonesia breach, the attacker established persistence through a scheduled task configured to execute SharkLoader daily.
- Double-task trick: The malware also created two Windows scheduled tasks, one running every five minutes to keep the loader active, and a second that fired every second right after deployment to guarantee SharkLoader launched immediately.
Who Is Behind It?
No one knows for sure. Post-exploitation tools used in the campaign were developed by Chinese-speaking developers on GitHub, but that is not a strong indicator that the attackers are also Chinese-speaking. Kaspersky researchers noted that targeting of government and software development organizations may indicate a cyber-espionage objective, although their confidence remains low due to the limited post-compromise activity observed.
Given the absence of active data exfiltration, it is unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber-espionage bent with a potential interest in political intelligence or intellectual property.
Given that Kaspersky’s visibility is limited to incidents observed through its own telemetry, the actual number of compromises may be significantly higher and extend beyond the known victims.
Why This Matters for Pakistan and the Region
Pakistan’s government agencies and IT sector rely heavily on the same software products targeted here, including Microsoft Exchange, SharePoint, and Cisco networking tools. The countries already confirmed as victims include neighbours and regional peers. Any government body, software company, or diplomat running unpatched, internet-facing infrastructure is a possible target.
Pakistan has been working to strengthen its digital governance framework. The country’s data governance policy gives citizens rights over their personal data, but keeping that data safe starts with basic security hygiene. Patching known flaws and training staff not to open unexpected files are the first lines of defence against campaigns like StrikeShark.
Organisations concerned about exposure should consult the official Kaspersky threat research published on Securelist for the full list of indicators of compromise (IOCs), including file hashes, IP addresses, and domain names used by the attackers.
Frequently Asked Questions
What is SharkLoader malware?
SharkLoader is a newly discovered malicious loader program. It breaks into a computer system and then installs Cobalt Strike Beacon, a tool that lets attackers control the victim machine remotely. It was found by Kaspersky researchers investigating a breach in Indonesia.
What is the StrikeShark campaign?
StrikeShark is the name Kaspersky gave to the broader attack operation that uses SharkLoader. The campaign has hit government agencies, diplomatic missions, and tech companies in countries across Asia, the Middle East, Europe, and South America.
How can organisations protect themselves from SharkLoader?
The most important step is to patch all internet-facing servers and applications quickly, especially Microsoft, Fortinet, Cisco, and F5 products. Staff should also be trained not to run unexpected installer files or open unsolicited PDF attachments. Monitoring tools should check for unusual use of Windows scheduled tasks and Registry Run keys.
Has any data been stolen in the SharkLoader attacks?
The use of SharkLoader and Cobalt Strike alongside malicious installers suggests the attacker may also be opportunistically targeting vulnerable systems. The absence of clear evidence of data exfiltration does not exclude this possibility, as Cobalt Strike’s data exfiltration modules could be employed at a later stage.
