Rupert Marais joins us today to dissect a sophisticated new threat landscape that is currently challenging the resilience of global network defenses. As a dedicated specialist in endpoint security and device management, Rupert has spent years identifying the subtle fingerprints left by advanced persistent threats. Today, he sheds light on “StrikeShark,” a newly identified campaign that utilizes the undocumented SharkLoader malware to infiltrate high-value targets across the globe, ranging from diplomatic entities in Indonesia to software developers in Taiwan and Colombia.
The conversation explores the technical architecture of SharkLoader, specifically its reliance on “Perfect DLL Hijacking” to bypass traditional Windows security mechanisms like Loader Lock. We examine the attacker’s opportunistic exploitation of a staggering array of vulnerabilities, including critical flaws in Microsoft Exchange, Openfire, and GeoServer, which allow them to establish initial access. Furthermore, the interview highlights the group’s use of open-source post-compromise tools and legitimate-looking software installers to deploy Cobalt Strike Beacons, suggesting a strategic shift toward cyber espionage and intellectual property theft in the government and technology sectors.
The StrikeShark campaign seems to cast an incredibly wide net across several continents; how would you describe the diversity of their targets and what does this suggest about the attacker’s ultimate motivations?
The victimology of this campaign is remarkably broad, spanning from government organizations in Taiwan to a diplomatic entity in Indonesia, and even software development firms in locations as varied as Lebanon, Syria, and Colombia. We are also seeing activity in North Macedonia, Nepal, Serbia, and Hong Kong, which indicates that the threat actor is not limiting themselves to a single niche or geopolitical region. This “spray and pray” approach, combined with the specific targeting of government and tech sectors, suggests a strong leaning toward cyber espionage. By hoovering up political intelligence or intellectual property from such a diverse set of victims, the attackers are likely building a massive repository of sensitive data for long-term strategic use. The sheer variety of the targets makes it clear that any organization with a public-facing vulnerability is a potential mark, regardless of their size or location.
You have analyzed several entry points for these attacks, including flaws in Microsoft Exchange and GeoServer. What does the use of such a diverse list of vulnerabilities, like CVE-2021-26855 and CVE-2024-36401, reveal about the attacker’s technical methodology?
The attackers are demonstrating a highly opportunistic and resourceful methodology by leveraging a library of vulnerabilities that span several years of software history. They aren’t just using the latest zero-days; they are actively weaponizing older, well-known flaws like the ProxyLogon bug in Exchange and more recent critical remote code execution bugs in GeoServer. By utilizing publicly available proof-of-concept exploits from platforms like GitHub, they can quickly pivot and strike any system that hasn’t been strictly patched. Their toolkit includes everything from Apache Shiro and Hikvision flaws to the very recent React Server Components vulnerability, CVE-2025-55182. This tells us that the StrikeShark operators are constantly scanning the perimeter for any crack in the armor, whether it’s a legacy server or a modern web framework, to find their way inside.
One of the most technical aspects of this threat is the deployment of SharkLoader through a technique called “Perfect DLL Hijacking.” Could you explain how this bypasses standard Windows defenses and why it is so effective?
This technique is particularly insidious because it is designed to execute malicious code while completely bypassing the Windows Loader Lock, which is a system-wide lock held by the OS during the loading of DLLs. By following the research detailed by Elliot Killick, the SharkLoader malware uses a legitimate executable, such as “SystemSettings.exe,” to side-load a malicious “SystemSettings.dll.” This process eventually leads to the decryption and loading of a file named “DscCoreR.mui,” which acts as a bridge to decompress the final Cobalt Strike Beacon. Because the malicious activity is wrapped inside a trusted system process, it often flies under the radar of standard endpoint detection tools. It’s a sensory game of hide-and-seek where the malware waits for the perfect moment to inject its code into a suspended thread, ensuring it doesn’t trigger the typical alarms associated with memory allocation.
We are seeing these attackers disguise their droppers as legitimate software installers like Google Update or Cisco AnyConnect. How does this type of psychological manipulation complicate the job of a security specialist?
It creates a nightmare scenario for defenders because it exploits the inherent trust that users have in their daily productivity tools and routine updates. When a user sees a familiar icon for Google Update or a Cisco AnyConnect installer, their guard naturally drops, and they are far more likely to authorize the installation. Some of these SharkLoader droppers even go as far as to display decoy PDF documents to further the illusion of legitimacy, making the attack feel like a normal business transaction. From a security management perspective, this means we can’t just rely on technical filters; we have to account for the human element and the fact that a single clicks on a “legitimate” looking file can trigger a complex chain of infection. It forces us to treat every installer as a potential threat vector, regardless of how official the branding might appear.
The tools being utilized post-compromise, such as FScan and Pillager, are often linked to Chinese-speaking developers. What is your assessment of the attribution of this campaign and the specific role these tools play in the attack?
While it is always difficult to definitively attribute a campaign to a specific nation-state, the heavy reliance on open-source tools like FScan, Searchall, and Pillager strongly points toward a Chinese-speaking threat actor. These tools are frequently found in the repositories of developers in that community and are optimized for rapid reconnaissance and credential harvesting. Once the attackers have established their foothold, they use these scanners to map out the Active Directory environment and hunt for high-value credentials within the LSASS process or the NTDS database file. It’s a very systematic approach: they land, they use these specialized tools to see everything on the network, and then they prepare for the next phase of the operation. The use of the Microsoft Detours library and MinHook DLL also shows a high level of technical proficiency in hooking Windows APIs to monitor exceptions and evade memory scanners.
SharkLoader itself does not have built-in persistence mechanisms, yet it manages to stay active on a compromised host. How are the attackers leveraging the Windows environment to ensure they don’t lose access?
Even though the malware lacks its own persistence code, the StrikeShark actors are experts at living off the land by using native Windows features to keep their hooks in the system. They typically leverage Registry Run keys and scheduled tasks to ensure that the “SystemSettings.exe” file—which triggers the whole DLL side-loading chain—launches every time a user logs in. In more aggressive scenarios, they configure these tasks to run even if no user is currently logged into the machine, providing them with a permanent back door. This reliance on standard administrative tools makes the infection look like a routine system process to the untrained eye. It shows that the attackers are thinking several steps ahead, ensuring that even if a specific session is terminated, their “shark” will be back in the water the moment the system reboots.
What is your forecast for the StrikeShark campaign?
I expect the StrikeShark campaign to evolve from its current reconnaissance-heavy phase into a more aggressive data exfiltration stage very soon. While we haven’t seen a massive amount of data leaving the networks yet, the deployment of Cobalt Strike Beacons and the intense focus on credential theft suggests that they are currently “laying the groundwork” for a significant harvest. We will likely see them begin to utilize Cobalt Strike’s file operation modules to target specific intellectual property in the software development and government sectors they have already compromised. Furthermore, as more proof-of-concept exploits for vulnerabilities like CVE-2025-55182 become stable, the geographic reach of SharkLoader will probably expand even further into Europe and North America. Organizations must remain vigilant, as the “quiet” nature of the current attacks is likely just the calm before a very coordinated and damaging data breach.
