Kaspersky’s Global Research and Analysis Team (GReAT) has published technical findings on a previously undocumented intrusion cluster it tracks as StrikeShark, which uses a custom malware loader called SharkLoader to deliver Cobalt Strike Beacon against diplomatic ministries, government agencies, and software development firms. Confirmed targets include organizations in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, Nepal, and several other countries. The research was published on June 24, 2026.
What Happened
SharkLoader gains initial access by exploiting unpatched public-facing application vulnerabilities, including CVE-2021-26855 (Microsoft Exchange ProxyLogon), CVE-2024-36401 (GeoServer), CVE-2024-21762 (Fortinet FortiOS), and CVE-2023-46747 (F5 BIG-IP). Once a foothold is established, SharkLoader employs a technique Kaspersky calls “PerfectDLL Hijacking,” which manipulates Windows loader lock internals to execute its payload from within DllMain without triggering standard deadlock protections. The loader decrypts and reflectively loads a Cobalt Strike Beacon alongside a second DLL that installs more than 44 API hooks targeting memory scanning and ETW-based telemetry.
The ETW evasion is accomplished by redirecting EtwEventWrite, EventWriteEx, and EventWrite to stub functions that return without writing telemetry. Persistence is maintained through HKCU registry Run keys and scheduled tasks named to mimic OneDrive and Microsoft Update processes.
Why It Matters
The CVE list is almost entirely composed of vulnerabilities disclosed between 2021 and 2024, several of which hold CISA Known Exploited Vulnerability catalog entries. Organizations that have not applied these patches remain directly in scope. The ETW evasion is the more significant concern for defenders: many endpoint detection and response products depend heavily on ETW telemetry for behavioral detection. An operator that hooks EtwEventWrite at the API layer before EDR instrumentation can execute can silence an entire category of behavioral alerting.
One Original Insight
Kaspersky assesses Chinese-speaking operators with low confidence, noting the use of reconnaissance tools (FScan, Pillager, Searchall) hosted by Chinese-language GitHub users, but explicitly states no confirmed attribution to any known APT group. The broad geographic victimology spanning Indonesia, Taiwan, and Lebanon alongside opportunistic targets in Colombia and Serbia suggests dual-use operations combining targeted espionage with volume exploitation of unpatched infrastructure.
Defenders running any unpatched Fortinet FortiOS, Microsoft Exchange, or GeoServer instance should treat this report as a prompt to verify patch status rather than wait for named attribution. For a comparison with another state-linked backdoor campaign targeting similar sectors in the same period, see CyberTech’s coverage of Turla’s STOCKSTAY backdoor.
Source: Kaspersky Securelist