StrikeShark Campaign Unleashes SharkLoader Malware to Deploy Cobalt Strike

A new malware family named SharkLoader has been discovered, linked to a campaign called StrikeShark, which targets various sectors, including a diplomatic organization in Indonesia. SharkLoader acts as a loader to deploy Cobalt Strike Beacon on compromised systems. The campaign exploits vulnerabilities in internet-facing applications such as Microsoft Exchange (CVE-2021-26855), Openfire (CVE-2023-32315), and GeoServer (CVE-2024-36401). The threat actor employs both exploitation of known vulnerabilities and custom droppers disguised as legitimate software to gain initial access. The campaign has a broad geographic reach, affecting entities in multiple countries, including Taiwan, Colombia, and Lebanon. Current assessments indicate that the threat actor relies on publicly available exploits and has not been definitively attributed to any known group. The situation remains under investigation as researchers continue to analyze the scope and methods used.

Key Points: • SharkLoader malware serves as a loader for deploying Cobalt Strike Beacon. • The campaign exploits multiple vulnerabilities, including CVE-2021-26855 and CVE-2023-32315. • Affected sectors include diplomatic organizations and software companies across various countries.