New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Kaspersky researchers discovered a new malware campaign named StrikeShark deploying SharkLoader, a previously unknown loader malware that installs Cobalt Strike Beacon on infected systems.

The campaign targeted diplomatic entities in Indonesia and government organizations in Taiwan. SharkLoader functions as a first-stage payload, establishing persistence and executing secondary payloads including Cobalt Strike Beacon, a legitimate penetration testing tool routinely weaponized by threat actors for command and control operations.

Cobalt Strike Beacon provides attackers with capabilities including process injection, credential theft, lateral movement, and remote code execution. The use of SharkLoader as a delivery mechanism suggests attackers aim to evade detection during initial compromise phases before establishing persistent command and control infrastructure.

The targeting of government and diplomatic entities indicates state-sponsored or state-aligned threat activity. Indonesia and Taiwan represent geopolitically significant targets, with Indonesia hosting ASEAN headquarters and Taiwan maintaining strategic importance in regional security dynamics. Diplomatic organizations face particular risk due to access to sensitive negotiations, intelligence networks, and classified communications.

Kaspersky did not disclose specific infection vectors in the available reporting, though loader malware typically arrives via spear-phishing emails, compromised websites, or watering hole attacks. Organizations should assume SharkLoader propagates through targeted social engineering against high-value targets rather than mass distribution.

The discovery of SharkLoader adds another tool to the loader malware ecosystem. Attackers prefer loaders over direct Cobalt Strike deployment because they reduce detection likelihood during initial access phases. Antivirus and endpoint detection systems often flag known malware, but novel loaders bypass signature-based detection.

Government agencies and diplomatic organizations should audit network logs for Cobalt Strike Beacon indicators of compromise, including HTTP/HTTPS beaconing patterns and process injection activity. Network defenders should implement command and control sinkholing to