Back to Intelligence

StrikeShark Campaign: SharkLoader & Cobalt Strike Defense Guide

SA
Security Arsenal Team
June 26, 2026
6 min read

Introduction

Security researchers have identified a new cyberespionage campaign, dubbed "StrikeShark," utilizing a previously undocumented malware family named SharkLoader. This threat actor is actively targeting diplomatic entities in Indonesia and government organizations in Taiwan.

SharkLoader functions specifically as a sophisticated delivery mechanism designed to drop and execute Cobalt Strike Beacon on compromised hosts. The use of Cobalt Strike—a legitimate red team tool often weaponized by threat actors—indicates a high level of operational maturity. For defenders, the emergence of a new loader family specifically tuned to deploy Cobalt Strike necessitates an immediate review of detection logic for both the initial compromise vector and the subsequent post-exploitation activity.

Technical Analysis

Threat Vector: SharkLoader Payload: Cobalt Strike Beacon Targeted Sectors: Diplomatic, Government Primary Platforms: Windows (implied by Cobalt Strike Beacon usage)

Attack Mechanics

The attack chain begins with the deployment of SharkLoader, a malware family specifically engineered to evade initial detection and establish a foothold. Unlike commodity downloaders, SharkLoader appears to be custom-built for this campaign, focusing on reliability and stealth.

  1. Initial Access: While the specific initial vector (e.g., phishing, exploit) requires further correlation, the ultimate goal is the execution of SharkLoader on the endpoint.
  2. Payload Delivery: Upon execution, SharkLoader retrieves and executes the Cobalt Strike Beacon payload. Cobalt Strike provides the attacker with robust Command and Control (C2) capabilities, including lateral movement, credential dumping, and payload staging.
  3. C2 Communication: The Beacon establishes an outbound connection to attacker-controlled infrastructure. Given the high-value targets (diplomatic/government), the C2 traffic is likely configured to blend in with legitimate HTTPS traffic or use custom encoders to bypass network inspection.

Exploitation Status

  • Status: Confirmed Active Exploitation (In-the-Wild)
  • Actor: StrikeShark (Attribution ongoing)
  • Capabilities: Loader functionality, C2 establishment, likely DLL side-loading or process injection to hide the Beacon payload.

Detection & Response

Given the lack of specific CVEs in this campaign (relying on malware execution rather than an exploit), detection must focus on behavioral Indicators of Compromise (IOCs). The following rules target the loader behavior and the subsequent Cobalt Strike execution patterns typical of such campaigns.

SIGMA Rules

YAML
---
title: Potential SharkLoader Suspicious Process Chain
id: 6a8b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects suspicious process execution chains often associated with loaders like SharkLoader deploying payloads via shell commands or script interpreters.
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/06/16
tags:
  - attack.execution
  - attack.defense_evasion
  - attack.t1059.001
  - attack.t1055.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_loader:
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
      - '\certutil.exe'
  selection_suspicious_cli:
    CommandLine|contains:
      - 'http://'
      - 'ftp://'
      - 'scraping'
      - 'download'
      - '-urlcache'
  condition: all of selection_*
falsepositives:
  - Legitimate system administration tasks
level: high
---
title: Cobalt Strike Beacon Process Injection Pattern
id: 9b8c7d6e-5f4a-3b2c-1d0e-9f8a7b6c5d4e
status: experimental
description: Detects potential Cobalt Strike Beacon activity where a common system binary spawns a child process with suspicious characteristics typical of post-exploitation frameworks.
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/06/16
tags:
  - attack.defense_evasion
  - attack.t1055.012
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\svchost.exe'
      - '\explorer.exe'
      - '\notepad.exe'
      - '\mspaint.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\rundll32.exe'
    CommandLine|contains:
      - 'Encrypted'
      - 'SecureString'
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Rare; legitimate admin scripts
level: critical

KQL (Microsoft Sentinel / Defender)

This hunt query looks for network connections initiated by processes that are frequently abused by loaders or beacons, targeting non-standard ports or exhibiting high-entropy command lines.

KQL — Microsoft Sentinel / Defender
let SuspiciousProcesses = dynamic(["rundll32.exe", "regsvr32.exe", "powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe"]);
DeviceNetworkEvents
| where InitiatingProcessFileName in~ (SuspiciousProcesses)
| where RemotePort != 80 and RemotePort != 443 and RemotePort != 8080
| summarize Count = count(), RemoteIPs = make_set(RemoteIP), RemotePorts = make_set(RemotePort) by DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
| where Count > 2
| project Timestamp, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIPs, RemotePorts, Count

Velociraptor VQL

This artifact hunts for unsigned executables in user-writable directories (a common drop location for loaders) and checks for network connections associated with Cobalt Strike beacons.

VQL — Velociraptor
-- Hunt for SharkLoader droppables and Cobalt Strike indicators
SELECT 
  Pid, 
  Name, 
  Exe, 
  CommandLine, 
  Username, 
  Hash.Data AS SHA256
FROM pslist()
WHERE Exe =~ 'C:\Users\.*\\AppData\.*\\.(exe|dll|bin)'
   AND Name NOT IN ('explorer.exe', 'chrome.exe', 'firefox.exe', 'msedge.exe')

-- Correlate with network connections
SELECT 
  Family, 
  RemoteAddress, 
  RemotePort, 
  State, 
  Pid
FROM netstat()
WHERE RemotePort in (443, 80, 53, 445)
   AND State =~ 'ESTABLISHED'

Remediation Script (PowerShell)

This script aids in the investigation by checking for recent suspicious modifications in common startup folders and analyzing running processes for unsigned binaries in temporary paths.

PowerShell
# Investigation Script: StrikeShark / SharkLoader Indicators
Write-Host "[+] Scanning for suspicious persistence mechanisms..." -ForegroundColor Cyan

# Check Startup Folders for recent additions
$StartupPaths = @(
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
    "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
)

foreach ($Path in $StartupPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -File | 
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
        Select-Object FullName, LastWriteTime, @{Name='Signature'; Expression={(Get-AuthenticodeSignature $_.FullName).Status}}
    }
}

# Check for unsigned processes running from temp directories
Write-Host "[+] Checking for unsigned processes in Temp directories..." -ForegroundColor Cyan
Get-WmiObject Win32_Process | ForEach-Object {
    $Path = $_.ExecutablePath
    if ($Path -match "(AppData\\Local\\Temp|Windows\\Temp)") {
        $Sig = Get-AuthenticodeSignature $Path
        if ($Sig.Status -ne 'Valid') {
            Write-Host "ALERT: Unsigned process detected - $($Path)" -ForegroundColor Red
        }
    }
}

Remediation

  1. Isolate Compromised Hosts: Immediately identify and isolate systems exhibiting the IOCs described above. Cobalt Strike provides lateral movement capabilities; assume network credentials are compromised.
  2. Update Signatures: Ensure Endpoint Detection and Response (EDR) and Antivirus solutions are updated with the latest threat intelligence feeds to recognize SharkLoader and Cobalt Strike variants.
  3. Network Segmentation: Review and enforce strict segmentation, especially for diplomatic and government segments, to limit the blast radius of credential theft.
  4. Credential Reset: Force a reset of all privileged credentials and any user credentials logged on to affected machines during the compromise window.
  5. Threat Hunt: Conduct a comprehensive hunt across the enterprise for the specific TTPs (Tactics, Techniques, and Procedures) associated with SharkLoader and Cobalt Strike, focusing on PowerShell logs and process injection artifacts.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionsharkloadercobalt-strikestrikeshark

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action