- What: Kaspersky documented SharkLoader (campaign StrikeShaker), a new loader that uses "Perfect DLL Hijacking" through a signed
SystemSettings.exeto deliver Cobalt Strike Beacon, attributed to a Chinese-speaking actor. - Impact: Beacon plus hands-on-keyboard intrusion: AD enumeration, LSASS and NTDS credential theft, and FScan/Pillager recon across government, diplomatic, and software-development targets in a dozen-plus countries.
- Fix / mitigation: Every initial-access vector is a known, patched CVE (Exchange CVE-2021-26855 and CVE-2022-41082, FortiOS CVE-2024-21762 and CVE-2022-40684, GeoServer CVE-2024-36401, Cisco IOS XE CVE-2023-20198, F5 CVE-2023-46747, and more). Patch the edge, hunt the side-load chain, and alert on the beacon behavior.
- Who's at risk: Anyone running unpatched internet-facing Exchange, Fortinet, GeoServer, Openfire, Zimbra, SharePoint, F5, Apache Shiro, Cisco IOS XE, or Hikvision devices.
Researchers at Kaspersky have detailed a campaign they track as StrikeShaker, built around a previously undocumented loader called SharkLoader. The loader's job is narrow and effective: get Cobalt Strike Beacon running on a compromised host without tripping endpoint memory scanners. The tradecraft is genuinely sharp. The way in is not.
Because the most important detail in this campaign is the least glamorous one: the attackers do not need a single zero-day. Initial access comes entirely from publicly available proof-of-concept exploits against thirteen known, already-patched vulnerabilities in internet-facing software. The clever loader is what happens after the front door, which was standing open, gets pushed.
The way in: 13 known-exploited CVEs
StrikeShaker is opportunistic. It sprays public exploits across exposed services and takes whatever opens. The arsenal Kaspersky observed reads like a greatest-hits list of the last five years of edge compromises:
- Microsoft Exchange, ProxyLogon CVE-2021-26855 and ProxyNotShell CVE-2022-41082, plus SharePoint CVE-2021-27076
- Fortinet FortiOS, SSL-VPN CVE-2024-21762 and the auth-bypass CVE-2022-40684
- GeoServer CVE-2024-36401, Openfire CVE-2023-32315, and Apache Shiro CVE-2016-4437
- Zimbra Collaboration CVE-2022-27925, F5 BIG-IP CVE-2023-46747, and Cisco IOS XE CVE-2023-20198
- Hikvision CVE-2021-36260, and even React Server Components CVE-2025-55182 on the newer end
Most of these sit on CISA's Known Exploited Vulnerabilities list. None of them are subtle. Every one has a patch, most for years. The lesson StrikeShaker teaches is the same one the Fortinet, Exchange, and Cisco IOS XE waves taught before it: an unpatched internet-facing appliance is not a risk, it is an invitation, and the crews watching for them are automated and patient.
Each of the initial-access CVEs above links straight to the RedEye CVE Index, and the ones with live Sigma detections carry a "Detected by Caver" emblem that ships in the RedEye Intel Feed. The point: this whole campaign hinges on exploitation events you can already see. Caver turns "we should have patched that" into a fired detection on the day the PoC starts flying.
The clever part: Perfect DLL Hijacking
Once inside, a web shell kicks off a DLL side-loading chain abusing the legitimate, signed Windows binary SystemSettings.exe. SharkLoader ships as SystemSettings.dll and uses a technique the researchers call "Perfect DLL Hijacking," which executes its payload while cleanly sidestepping the Windows Loader Lock that normally makes this kind of in-loader code execution unstable.
From there the loader decrypts a disguised resource, DscCoreR.mui, decompresses it, and maps Cobalt Strike Beacon into a freshly created suspended thread. Before letting it run, SharkLoader uses the Microsoft Detours library and a MinHook DLL to hook VirtualAlloc and Sleep, the two API calls that in-memory scanners and sandboxes lean on to catch Beacon. With the hooks in place, a single ResumeThread call wakes the implant inside a process that looks entirely normal.
The side-load and API-hooking tricks are designed to beat memory scanning: signature and snapshot detection. They do far less against behavioral telemetry: a signed Windows settings binary spawning from a web server process, hooking VirtualAlloc, then reaching out to a C2. That sequence is loud if you are collecting and correlating the right events, which is exactly where most victims have a gap.
What they do once they own the host
StrikeShaker is a hands-on-keyboard operation, not a smash-and-grab. After Beacon lands, the operators enumerate Active Directory, target the LSASS process for credentials, and attempt to exfiltrate the NTDS database, the full domain credential store. They lean on open-source post-exploitation tooling including FScan for network discovery, Searchall, and Pillager. Persistence is mundane and reliable: registry Run keys and scheduled tasks that relaunch SystemSettings.exe on login or unattended.
Delivery is not limited to web exploitation. Kaspersky also saw installer droppers masquerading as Google Update and Cisco AnyConnect, and decoy PDFs, the social-engineering path to the same loader.
Who is in the crosshairs
The victimology is broad: a diplomatic organization in Indonesia, government bodies in Taiwan, and software-development firms across multiple countries, with additional activity touching Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The campaign exhibits Chinese-speaking-actor characteristics, and the focus on government and software-development targets points toward espionage rather than extortion, though Kaspersky notes no active data-theft payload was confirmed, leaving end goals open.
What defenders should do now
- Close the 13 doors first. Inventory internet-facing Exchange, FortiOS, GeoServer, Openfire, Zimbra, SharePoint, F5 BIG-IP, Apache Shiro, Cisco IOS XE, and Hikvision, and confirm the CVEs above are patched. This single step removes StrikeShaker's entire entry path.
- Hunt the side-load chain. Alert on
SystemSettings.exeorSystemSettings.dllexecuting from non-standard paths or spawning from web-server processes, and on the resource filesDscCoreR.muiand unexpected MinHook DLLs. - Watch the beacon behavior, not just the bytes. Correlate API hooking of
VirtualAlloc/Sleep, suspended-thread injection, and outbound C2 from signed system binaries. Behavioral detection survives the loader's anti-memory-scanning tricks. - Protect the crown jewels. Restrict and monitor LSASS access and NTDS handling; treat any NTDS read by a non-domain-controller process as an incident.
RedEye writes the detections for exactly this kind of chain (the edge-CVE exploitation up front and the side-load/beacon behavior after) and ships them through the live detection feed into your SIEM. Caver is where those detections run at scale and stay cheap to retain, so an exploitation attempt against one of these CVEs is a flagged event on day one, not a forensic finding after the NTDS file is already gone.
Bottom line
SharkLoader is a well-built loader, and "Perfect DLL Hijacking" will get copied. But StrikeShaker is not a story about an unstoppable new technique. It is a story about thirteen patches that were available and not applied, and the very normal behavior that follows once an attacker is in. The defensible version of this incident is the boring one: patch the edge, collect the right telemetry, and let the detections that already exist do their job.
Are these 13 CVEs actually patched in your environment?
RedEye Security helps teams find their exposed edge, ship the detections for campaigns like StrikeShaker, and turn known-exploited CVEs into alerts instead of incidents.
Talk to usSource: The Hacker News: "New SharkLoader Malware Deploys Cobalt Strike", reporting on Kaspersky research into the StrikeShaker campaign.