SharkLoader Uses Public Exploits and Fake Installers to Target Governments
Kaspersky and CyberPress report a SharkLoader campaign that abuses public exploits and fake installers to sideload Cobalt Strike onto government and enterprise systems.
Published
Jun 25, 2026Duration
5 min readRisk Level
High SeverityIntel Tags
Why it matters
StrikeShark shows how one loader can bridge two attack modes: opportunistic exploitation of exposed services and lure-based delivery through fake installers. The campaign touched diplomatic and government networks across multiple regions, and it used Cobalt Strike Beacon as the final payload. That combination raises the risk for any internet-facing organization that has not fully inventoried exposed apps or audited sideloading behavior.
What happened
Kaspersky’s 24 June analysis described SharkLoader infections in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and more. CyberPress followed on 25 June with a shorter summary that highlighted the government-targeting angle and repeated the IOC set, including the domain connect-microsoft[.]com and several MD5 hashes. Both reports agree on the core pattern: public PoCs or fake installers open the door, and SharkLoader then stages a Cobalt Strike implant.
Technical details
SharkLoader is built to stay quiet. In the exploitation path, attackers leverage public-facing apps such as Exchange, Openfire, and GeoServer, drop webshells, and then side-load SystemSettings.dll from a copied SystemSettings.exe. The loader manipulates the Windows loader lock, decrypts DscCoreR.mui with Blowfish, decrypts SyncRes.dat with AES, installs API hooks, suppresses ETW, and eventually resumes a suspended thread that runs beacon shellcode. In the lure path, droppers masquerade as Cisco AnyConnect, Google Update, or benign PDFs. The practical IOCs to hunt are the domains connect-microsoft[.]com, ms-record[.]com, ms-record[.]top, and ms-tray[.]top, plus the loader and dropper hashes in the article metadata.
Defender actions
Prioritize patching or isolating exposed Exchange, Openfire, GeoServer, SharePoint, FortiOS, and Cisco IOS XE systems. Hunt for unexpected SystemSettings.exe execution, new scheduled tasks, suspicious Run keys, and DLL sideloading from writable directories such as %APPDATA% or ProgramData. Block the listed domains and hashes, then review DNS, proxy, and EDR telemetry for the process trees that load Cobalt Strike. If you confirm a foothold, reset privileged credentials and reimage affected hosts instead of trying to clean them in place.
Indicators
16 indicators · TLP:cleardomain · c2 · high conf
connect-microsoft.com
C2 domain reported by CyberPress and corroborated by the Securelist campaign analysis
domain · c2 · high conf
ms-record.com
Associated infrastructure reported by CyberPress
domain · c2 · high conf
ms-record.top
Associated infrastructure reported by CyberPress
domain · c2 · high conf
ms-tray.top
Associated infrastructure reported by CyberPress
hash-md5 · payload · high conf
C559CC68986933200FD5D9E4388E2F58
Malicious installer hash from the Securelist campaign analysis
hash-md5 · delivery · high conf
B3352B42432DEDC4A519F011DC8B5D5A
SharkLoader dropper hash from the Securelist campaign analysis
hash-md5 · delivery · high conf
24FCEBDEECBA65004FDB0923763D74FD
Dropper hash associated with the Taiwan-targeting sample
hash-md5 · payload · high conf
9C872A0D5D5A38950E8B9AC9B488BE3F
SharkLoader DLL hash from the Securelist campaign analysis
hash-md5 · payload · high conf
AA3086BE652C8B20B0B29B2730D57119
SharkLoader DLL hash from the Securelist campaign analysis
hash-md5 · payload · high conf
A514D1BB62D7916475946FE7C07AC0AA
Encrypted component hash from the Securelist campaign analysis
hash-md5 · payload · high conf
9CBD560F820C95D7C38342CD558CB5C6
Encrypted component hash from the Securelist campaign analysis
hash-md5 · delivery · high conf
1F65544978B8EA0E745E573B8EE9684B
Dropper hash observed on a machine located in Lebanon
file-path · payload · high conf
SystemSettings.exe
Legitimate Windows binary copied to facilitate DLL sideloading
file-path · payload · high conf
SystemSettings.dll
Malicious SharkLoader DLL used in the sideloading chain
file-path · payload · high conf
DscCoreR.mui
Encrypted module loaded by SharkLoader before the Beacon stage
file-path · payload · high conf
SyncRes.dat
Encrypted DLL component used to install API hooks