Security researchers have uncovered a new malware family called SharkLoader. The loader deploys Cobalt Strike Beacon on compromised systems.
The campaign casts a wide net across regions and sectors. It has hit a diplomatic body in Indonesia and government bodies in Taiwan. Software development firms in several countries were also targeted. Other victims sit in Hong Kong, Lebanon, Syria, Colombia, Nepal, and Serbia.
“At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems,” Kaspersky, the ones who identified the malware, said. “The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”
The broad victim list suggests wide reach rather than one industry focus. The attackers show no direct link to any known group. However, they used open-source tools favored by Chinese-speaking developers. Researchers believe a Chinese-speaking actor runs the campaign.
The hackers break in by exploiting known public vulnerabilities. They abused old Microsoft Exchange flaws like ProxyLogon to hit the Indonesian target. They struck Taiwanese firms through an Openfire path traversal bug. A critical GeoServer flaw opened the door to a Colombian organization.
The attackers likely grab public exploit code from GitHub opportunistically. Once inside, they deploy web shells to trigger a DLL side-loading chain. That chain abuses a legitimate Windows file to load SharkLoader quietly. A second method hides the loader inside fake software installers.
Some droppers pose as Google Update or Cisco AnyConnect. Others use decoy PDF documents to trick victims into opening files. The loader then uses an advanced hijacking technique to run hidden code. It decrypts and loads Cobalt Strike while dodging memory scanning.
The attackers run deep reconnaissance after gaining a foothold. They enumerate Active Directory and steal credentials from key system files. They also deploy open-source scanners to map the network. No clear data theft appeared yet, but espionage looks likely. Targeting governments and developers points to political or intellectual property interest.
