Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

StrikeShark

Also known asstrikeshark

StrikeShark is a tracked intrusion cluster associated with the previously undocumented SharkLoader malware family. Researchers identified the activity during an investigation into a diplomatic organization in Indonesia and observed additional infections affecting government, diplomatic, software development, and other organizations across Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and other countries, indicating broad and partly opportunistic targeting. SharkLoader is used to deploy Cobalt Strike Beacon on compromised systems. Observed initial access included exploitation of internet-facing applications and delivery via custom droppers disguised as legitimate software such as Google Update and Cisco AnyConnect. Reported exploited vulnerabilities included Microsoft Exchange CVE-2021-26855 and CVE-2022-41082, Microsoft SharePoint CVE-2021-27076, Openfire CVE-2023-32315, GeoServer CVE-2024-36401, Apache Shiro CVE-2016-4437, Hikvision CVE-2021-36260, Zimbra Collaboration Suite CVE-2022-27925, F5 BIG-IP CVE-2023-46747, Fortinet FortiOS CVE-2024-21762 and CVE-2022-40684, and Cisco IOS XE Web UI CVE-2023-20198. Researchers assessed with medium confidence that the actor primarily relied on publicly available proof-of-concept exploits. One IP associated with a StrikeShark C2 domain was also observed conducting internet-wide scanning. Technically, SharkLoader abuses DLL sideloading using legitimate binaries such as SystemSettings.exe, and variants also used targets including msedge.dll, PrintDialog.dll, and miracastview.dll. The malware uses encrypted multi-stage modules, reflective loading, API hooking, ETW suppression, and memory-evasion techniques while launching Cobalt Strike Beacon in memory. Reported behavior included use of the Perfect DLL Hijacking technique, Blowfish and AES decryption of staged components, Microsoft Detours, MinHook, jitasm-generated direct syscalls, hooking of EtwEventWrite, EventWriteEx, EventWrite, VirtualAlloc, and Sleep, and PPID spoofing. Persistence included webshell deployment after exploitation, scheduled tasks, and registry Run keys such as MFUpdate and \Microsoft\Windows\Edge\Edgeupdate. Post-compromise activity included reconnaissance, Active Directory enumeration, credential dumping from LSASS with Procdump64, NTDS extraction with ntdsutil, and use of FScan, Searchall, Pillager, SharpGPOAbuse, Cobalt Strike, and webshells. Attribution remains preliminary. Researchers stated they found no direct code reuse, infrastructure overlap, or operational similarity sufficient to attribute StrikeShark to any known APT or cybercrime group. Based on the use of several open-source tools associated with Chinese-speaking developers, they assessed with low confidence that StrikeShark is a Chinese-speaking threat actor. Known associated malware name: SharkLoader.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics44 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
1 technique
T1190×2
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1112
Modify Registry
T1505
Server Software Component
T1505.003×2
Web Shell
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
5 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1055×2
Process Injection
T1134
Access Token Manipulation
T1134.004×2
Parent PID Spoofing
T1484
Domain or Tenant Policy Modification
T1484.001×2
Group Policy Modification
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
8 techniques
T1036×2
Masquerading
T1055×2
Process Injection
T1070
Indicator Removal
T1070.004×2
File Deletion
T1134
Access Token Manipulation
T1134.004×2
Parent PID Spoofing
T1140×2
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1497
Virtualization/Sandbox Evasion
T1620×2
Reflective Code Loading
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001×2
Group Policy Modification
TA0006
Credential Access
1 technique
T1003×2
OS Credential Dumping
T1003.001×2
LSASS Memory
T1003.003×2
NTDS
TA0007
Discovery
8 techniques
T1033
System Owner/User Discovery
T1046×2
Network Service Discovery
T1057
Process Discovery
T1082×2
System Information Discovery
T1083×2
File and Directory Discovery
T1087×2
Account Discovery
T1482×2
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeOur investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.2Jun 24, 2026
SharkLoaderwe uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.2Jun 24, 2026
WEAPONIZED

Associated vulnerabilities

13 CVEs this actor has used in observed campaigns. 13 of them exploited in the wild.

CVE-2016-4437Apache Shiro rememberMe Deserialization RCEIn the wildEvidence2

Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Apache Shiro: CVE-2016-4437

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence2

In the incident affecting an Indonesian diplomatic entity, the threat actor exploited Microsoft Exchange vulnerabilities, including CVE-2021-26855 (ProxyLogon), to gain access to the target environment.

CVE-2021-27076Microsoft SharePoint Server Replay-Based Remote Code ExecutionIn the wildEvidence2

Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Microsoft SharePoint: CVE-2021-27076

CVE-2021-36260Unauthenticated Command Injection in Hikvision Web ServerIn the wildEvidence2

Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Hikvision Products: CVE-2021-36260

CVE-2022-27925Directory Traversal in Zimbra Collaboration Suite mboximportIn the wildEvidence2

Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Zimbra Collaboration Suite: CVE-2022-27925

8 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
malware newsNews
Jun 24, 2026
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Malware News - Malware Analysis, News and Indicators

A newly identified intrusion cluster conducting broad opportunistic and strategic intrusions across multiple countries and sectors, using exploitation of internet-facing applications and custom droppers to deploy SharkLoader, which in turn loads Cobalt Strike Beacon. Activity includes persistence via scheduled tasks and registry Run keys, webshell deployment, reconnaissance, Active Directory enumeration, credential dumping, and stealth through API hooking and ETW suppression.

Read more
securelistNews
May 13, 2021
StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon | Securelist

Previously undocumented intrusion cluster using SharkLoader to deploy Cobalt Strike Beacon, exploiting internet-facing applications and using malicious droppers against government organizations, diplomatic entities, software development companies, and other sectors across multiple countries.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs13

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.