SharkLoader
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Microsoft SharePoint: CVE-2021-27076 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Microsoft Exchange Server: CVE-2022-41082 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Apache Shiro: CVE-2016-4437 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
In a separate incident affecting a Colombian organization, the threat actor exploited a GeoServer instance vulnerable to CVE-2024-36401. | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Zimbra Collaboration Suite: CVE-2022-27925 | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) F5 BIG-IP system: CVE-2023-46747 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Hikvision Products: CVE-2021-36260 | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Remote Code Execution (RCE) Fortinet FortiOS: CVE-2024-21762 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Authentication Bypass Cisco IOS XE Web UI: CVE-2023-20198 | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: React Server Components: CVE-2025-55182 | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Similar activity was observed in Taiwan, where software development organizations were compromised through exploitation of Openfire (CVE-2023-32315). | During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
In the incident affecting an Indonesian diplomatic entity, the threat actor exploited Microsoft Exchange vulnerabilities, including CVE-2021-26855 (ProxyLogon), to gain access to the target environment. | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Beyond these incidents, we identified additional exploitation activity targeting vulnerabilities in multiple internet-facing enterprise applications and network appliances including those listed below: Authentication Bypass Fortinet FortiOS: CVE-2022-40684 | we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
we uncovered a previously undocumented malware family that we have named SharkLoader. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server... In the incident affecting an Indonesian diplomatic entity, the threat actor exploited Microsoft Exchange vulnerabilities, including CVE-2021-26855 (ProxyLogon)... Similar activity was observed in Taiwan... through exploitation of Openfire (CVE-2023-32315). In a separate incident... exploited a GeoServer instance vulnerable to CVE-2024-36401.
Execution
1 technique
Execution
In the dropper-based infections, after deploying all required SharkLoader components, the dropper creates two scheduled tasks through the Windows Task Scheduler COM interfaces... The first scheduled task uses a time-based trigger that executes every five minutes, providing long-term persistence.
Persistence
4 techniques
Persistence
In the dropper-based infections, after deploying all required SharkLoader components, the dropper creates two scheduled tasks through the Windows Task Scheduler COM interfaces... The first scheduled task uses a time-based trigger that executes every five minutes, providing long-term persistence.
Registry Run key : In the incident that affected an organization in Hong Kong, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon. The following command was used: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MFUpdate"
Following exploitation, the attacker established persistence on compromised servers through the deployment of webshells. Although we were unable to recover the webshell files, a series of commands whose execution we observed in our telemetry along with the detection records of webshells strongly indicate their use for post-exploitation activities.
Privilege Escalation
4 techniques
Privilege Escalation
In the dropper-based infections, after deploying all required SharkLoader components, the dropper creates two scheduled tasks through the Windows Task Scheduler COM interfaces... The first scheduled task uses a time-based trigger that executes every five minutes, providing long-term persistence.
The DscCoreR.mui then decompresses the Cobalt Strike Beacon shellcode into the memory region associated with the suspended thread and then the suspended thread is resumed, resulting in execution of the beacon.
Creates a new thread that executes the process creation routine responsible for PPID spoofing... Builds an extended startup attribute list to set the selected svchost.exe as the spoofed parent... As a result, any new process created by the current process... is spawned under svchost.exe instead of the current module process.
Stealth
8 techniques
Stealth
In several observed cases, the threat actor distributed SharkLoader through custom dropper executables masquerading as legitimate software installers or applications such as Google Update and Cisco AnyConnect.
The DscCoreR.mui then decompresses the Cobalt Strike Beacon shellcode into the memory region associated with the suspended thread and then the suspended thread is resumed, resulting in execution of the beacon.
After a delay of approximately 1.5 seconds, the dropper removes the second scheduled task by using the Task Scheduler COM interfaces, leaving the first task in place to maintain persistence on the system.
Creates a new thread that executes the process creation routine responsible for PPID spoofing... Builds an extended startup attribute list to set the selected svchost.exe as the spoofed parent... As a result, any new process created by the current process... is spawned under svchost.exe instead of the current module process.
The routine first reads the encrypted file into memory and extracts the first 16 bytes to use as the Blowfish decryption key... decrypts the file in ECB mode... To decrypt SyncRes.dat, the malware extracts a 16-byte AES-128 key and a 16-byte initialization vector (IV) directly from the file itself.
One of the earliest observed actions involved copying the legitimate Windows application SystemSettings.exe to a new location before executing it... This application was later abused as part of a DLL sideloading chain used to launch SharkLoader.
The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques
Once decryption is complete, the resulting PE file is reflectively loaded into memory and executed without being written to disk... the malware proceeds to load and decrypt a second encrypted file, SyncRes.dat, before reflectively loading the resulting DLL into memory.
Defense Impairment
1 technique
Defense Impairment
Registry Run key : In the incident that affected an organization in Hong Kong, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon. The following command was used: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MFUpdate"
Discovery
1 technique
Discovery
The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously undocumented loader malware family used to deploy Cobalt Strike Beacon. It is delivered via exploitation of internet-facing applications and custom droppers, uses DLL sideloading for execution, decrypts and reflectively loads additional stages in memory, installs API hooks for evasion, and helps establish persistence on compromised systems.
A previously undocumented loader malware family used to deploy Cobalt Strike Beacon. It is delivered via exploitation of internet-facing applications and custom droppers, uses DLL sideloading for execution, decrypts and reflectively loads staged modules, installs API hooks for evasion, and maintains access through scheduled tasks or registry Run keys.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.