ThreatBrief AI

SharkLoader Uses Public Exploits and Fake Installers to Target Governments

Kaspersky and CyberPress report a SharkLoader campaign that abuses public exploits and fake installers to sideload Cobalt Strike onto government and enterprise systems.

+ +

Published

Jun 25, 2026

Duration

5 min read

Risk Level

High Severity

Why it matters

StrikeShark shows how one loader can bridge two attack modes: opportunistic exploitation of exposed services and lure-based delivery through fake installers. The campaign touched diplomatic and government networks across multiple regions, and it used Cobalt Strike Beacon as the final payload. That combination raises the risk for any internet-facing organization that has not fully inventoried exposed apps or audited sideloading behavior.

What happened

Kaspersky’s 24 June analysis described SharkLoader infections in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and more. CyberPress followed on 25 June with a shorter summary that highlighted the government-targeting angle and repeated the IOC set, including the domain connect-microsoft[.]com and several MD5 hashes. Both reports agree on the core pattern: public PoCs or fake installers open the door, and SharkLoader then stages a Cobalt Strike implant.

Technical details

SharkLoader is built to stay quiet. In the exploitation path, attackers leverage public-facing apps such as Exchange, Openfire, and GeoServer, drop webshells, and then side-load SystemSettings.dll from a copied SystemSettings.exe. The loader manipulates the Windows loader lock, decrypts DscCoreR.mui with Blowfish, decrypts SyncRes.dat with AES, installs API hooks, suppresses ETW, and eventually resumes a suspended thread that runs beacon shellcode. In the lure path, droppers masquerade as Cisco AnyConnect, Google Update, or benign PDFs. The practical IOCs to hunt are the domains connect-microsoft[.]com, ms-record[.]com, ms-record[.]top, and ms-tray[.]top, plus the loader and dropper hashes in the article metadata.

Defender actions

Prioritize patching or isolating exposed Exchange, Openfire, GeoServer, SharePoint, FortiOS, and Cisco IOS XE systems. Hunt for unexpected SystemSettings.exe execution, new scheduled tasks, suspicious Run keys, and DLL sideloading from writable directories such as %APPDATA% or ProgramData. Block the listed domains and hashes, then review DNS, proxy, and EDR telemetry for the process trees that load Cobalt Strike. If you confirm a foothold, reset privileged credentials and reimage affected hosts instead of trying to clean them in place.

Indicators

16 indicators · TLP:clear

domain · c2 · high conf

connect-microsoft.com

C2 domain reported by CyberPress and corroborated by the Securelist campaign analysis

Srcs: securelist-strikeshark, cyberpress-sharkloader

domain · c2 · high conf

ms-record.com

Associated infrastructure reported by CyberPress

Srcs: securelist-strikeshark, cyberpress-sharkloader

domain · c2 · high conf

ms-record.top

Associated infrastructure reported by CyberPress

Srcs: securelist-strikeshark, cyberpress-sharkloader

domain · c2 · high conf

ms-tray.top

Associated infrastructure reported by CyberPress

Srcs: securelist-strikeshark, cyberpress-sharkloader

hash-md5 · payload · high conf

C559CC68986933200FD5D9E4388E2F58

Malicious installer hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · delivery · high conf

B3352B42432DEDC4A519F011DC8B5D5A

SharkLoader dropper hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · delivery · high conf

24FCEBDEECBA65004FDB0923763D74FD

Dropper hash associated with the Taiwan-targeting sample

Srcs: securelist-strikeshark

hash-md5 · payload · high conf

9C872A0D5D5A38950E8B9AC9B488BE3F

SharkLoader DLL hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · payload · high conf

AA3086BE652C8B20B0B29B2730D57119

SharkLoader DLL hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · payload · high conf

A514D1BB62D7916475946FE7C07AC0AA

Encrypted component hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · payload · high conf

9CBD560F820C95D7C38342CD558CB5C6

Encrypted component hash from the Securelist campaign analysis

Srcs: securelist-strikeshark

hash-md5 · delivery · high conf

1F65544978B8EA0E745E573B8EE9684B

Dropper hash observed on a machine located in Lebanon

Srcs: securelist-strikeshark

file-path · payload · high conf

SystemSettings.exe

Legitimate Windows binary copied to facilitate DLL sideloading

Srcs: securelist-strikeshark

file-path · payload · high conf

SystemSettings.dll

Malicious SharkLoader DLL used in the sideloading chain

Srcs: securelist-strikeshark

file-path · payload · high conf

DscCoreR.mui

Encrypted module loaded by SharkLoader before the Beacon stage

Srcs: securelist-strikeshark

file-path · payload · high conf

SyncRes.dat

Encrypted DLL component used to install API hooks

Srcs: securelist-strikeshark