SOC Prime Bias: High

02 Jul 2026 06:46 UTC

StrikeShark Campaign Delivers Cobalt Strike Through SharkLoader

Author Photo
SOC Prime Team linkedin icon Follow
StrikeShark Campaign Delivers Cobalt Strike Through SharkLoader
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

StrikeShark is a newly identified threat campaign that uses a custom malware loader called SharkLoader to deliver Cobalt Strike Beacons. The operation relies on multiple initial access methods, including exploitation of internet-facing applications and dropper-based delivery. The malware also uses advanced evasion techniques such as DLL sideloading and API hooking to slip past security defenses.

Investigation

The investigation identified SharkLoader infections across several countries and industry sectors, including diplomatic entities and software development organizations. Researchers traced the full intrusion chain, from exploitation of flaws such as ProxyLogon to execution of the final Cobalt Strike payload. The study also described the technical use of “Perfect DLL Hijacking” and sophisticated API hooking designed to reduce detection.

Mitigation

Organizations should prioritize patching internet-facing systems, especially Microsoft Exchange, SharePoint, and exposed network appliances. Deploying strong endpoint detection and response capabilities can help uncover suspicious DLL sideloading and unauthorized scheduled task creation. Security teams should also monitor abnormal parent-child process relationships, such as svchost.exe launching unexpected processes.

Response

If this activity is detected, isolate affected systems immediately to stop further lateral movement and command-and-control traffic. Conduct a full forensic investigation to determine the initial access point and the overall scope of compromise. Reset credentials for all potentially affected accounts, particularly privileged users, and review Active Directory for unauthorized changes or newly assigned group memberships.

"flowchart TD step_initial_access["Initial Access: T1210 – Exploitation of Remote Services & T1204.002 – User Execution: Malicious File. Targets vulnerabilities in Exchange/Openfire/GeoServer or uses custom droppers like Cisco AnyConnect/Google Update."] step_execution["Execution: T1574.001 – Hijack Execution Flow: DLL. Employs DLL side-loading by abusing SystemSettings.exe to load malicious SystemSettings.dll."] rules_for_execution("<b>Rule Name</b>: System Processes Execution from Untypical Paths (via process_creation)<br/><b>Rule ID</b>: f1383796-38ff-4ac0-a88f-3dd365549c7e") step_persistence["Persistence: T1053 – Scheduled Task/Job & T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. Creates tasks like 'OneDrive Standalone Update Task' and Registry Run keys."] step_stealth["Stealth: T1027 – Obfuscated Files or Information & T1685 – Defense Impairment. Uses Blowfish/AES and zlib to hide components; installs API hooks on ETW to evade logging."] step_discovery["Discovery: T1082 – System Information Discovery & T1087.002 – Account Discovery: Domain Account. Uses PowerShell to enumerate Active Directory users and groups."] step_credential_access["Credential Access: T1003.001 – OS Credential Dumping: LSASS Memory & T1003.003 – OS Credential Dumping: NTDS. Uses Procdump64.exe for LSASS and ntdsutil for IFM copies."] step_initial_access –>|leads_to| step_execution step_execution -.->|detected_by| rules_for_execution step_execution –>|enables| step_persistence step_persistence –>|leads_to| step_stealth step_stealth –>|then| step_discovery step_discovery –>|enables| step_credential_access "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish a foothold using the SharkLoader campaign’s signature methods. First, the attacker simulates the DLL sideloading byproduct by launching a renamed version of a legitimate binary as SystemSettings.exe. Once the process is running, the attacker attempts to gain situational awareness by enumerating the domain environment. To mimic the observed TTP, the attacker uses PowerShell to query Active Directory for user and computer objects, which is a common step during the reconnaissance phase of a domain compromise.

  • Regression Test Script:

    # Simulation Script for SharkLoader & AD Enumeration Detection
    
    Write-Host "[*] Starting Simulation..." -ForegroundColor Cyan
    
    # 1. Simulate SharkLoader Process Execution via SystemSettings.exe
    # We use notepad.exe as a proxy to simulate the behavior of the sideloaded binary
    Start-Process "notepad.exe" -ArgumentList "/c "This is a simulated SystemSettings.exe"" -WindowStyle Hidden
    # Note: In a real environment, the file itself would be named SystemSettings.exe. 
    # For this test, we simulate the creation of the process entry.
    
    # 2. Simulate Malicious Active Directory Enumeration
    Write-Host "[*] Simulating AD Enumeration..." -ForegroundColor Yellow
    # Using standard cmdlets that the rule specifically looks for
    Get-ADUser -Filter * | Select-Object -First 5
    Get-ADComputer -Filter * | Select-Object -First 5
    Get-ADGroup -Filter * | Select-Object -First 5
    
    Write-Host "[+] Simulation Commands Executed." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup script to ensure no residual processes remain
    Stop-Process -Name "notepad" -ErrorAction SilentlyContinue
    Write-Host "[*] Cleanup Complete." -ForegroundColor Cyan