Skip to main content

StrikeShark Campaign Exploits Known Vulnerabilities to Deploy Cobalt Strike via SharkLoader

Release Date: 16 Jul 2026 376 Views

(Image generated by generative AI and reviewed under professional human supervision.)

 

A recently observed campaign, tracked as StrikeShark, highlights how attackers continue to exploit unpatched internet-facing systems to gain initial access into enterprise networks. The campaign leverages a multi-stage malware loader, referred to as SharkLoader, to deploy Cobalt Strike malware, a widely used post-exploitation framework.

 

Although the malware components in this campaign demonstrate moderate technical sophistication, the most critical takeaway for organisations is that initial compromise is heavily dependent on known and publicly exploitable vulnerabilities. This reinforces the importance of timely patching and exposure management.

 

 

Exploitation of Public-Facing Applications

The StrikeShark campaign primarily gains initial access by exploiting vulnerabilities in internet-facing enterprise applications. These systems are often directly reachable from the internet and therefore present a high-risk attack surface if not properly secured.

 

Observed attacks have targeted a range of widely deployed platforms, including:

  • Microsoft Exchange Server (e.g. CVE-2021-26855, ProxyLogon)
  • Microsoft SharePoint (e.g. CVE-2021-27076)
  • Openfire Server (e.g. CVE-2023-32315)
  • GeoServer (e.g. CVE-2024-36401)

 

In addition, threat actors were observed scanning and exploiting vulnerabilities in various enterprise software and network appliances, including:

  • Apache Shiro – CVE-2016-4437
  • Hikvision products – CVE-2021-36260
  • Zimbra Collaboration Suite – CVE-2022-27925
  • Microsoft Exchange Server – CVE-2022-41082
  • F5 BIG-IP – CVE-2023-46747
  • Fortinet FortiOS – CVE-2022-40684, CVE-2024-21762
  • Cisco IOS XE Web UI – CVE-2023-20198
  • Jenkins – CVE-2024-23897
  • Joomla CMS – CVE-2023-23752
  • React Server Components – CVE-2025-55182

 

Many of these vulnerabilities are classified as remote code execution or authentication bypass issues, allowing attackers to execute arbitrary commands on vulnerable systems without valid credentials.

 

Notably, exploit code for these vulnerabilities is widely available on public platforms, meaning attackers do not need to develop custom exploits. This suggests that the campaign is, at least in part, opportunistic, targeting organisations that have not applied security updates.

 

 

Why These Vulnerabilities Are Critical

Vulnerabilities affecting internet-facing services are particularly dangerous because they can be exploited remotely with minimal interaction. In many cases, attackers can:

  • Gain direct access to servers exposed to the internet
  • Deploy webshells for persistent remote control
  • Use compromised servers as footholds for deeper network intrusion

 

Once initial access is established, attackers can quickly move to the next stages of the attack lifecycle, including credential theft and lateral movement.

 

 

From Initial Access to Malware Execution

After successfully exploiting a vulnerability, attackers deploy SharkLoader using techniques such as webshell-based command execution or malicious droppers.

 

A commonly observed method involves abusing legitimate Windows applications for DLL side-loading. For example, attackers copy a legitimate binary such as SystemSettings.exe to a writable directory and execute it alongside a malicious DLL, allowing the malicious code to run while appearing legitimate.

 

The loader then decrypts and executes additional payloads directly in memory, ultimately launching a Cobalt Strike Beacon, which enables remote command execution and further compromise.

 

 

Post-Compromise Activity

Following initial access, attackers typically perform:

  • System and network reconnaissance
  • Active Directory enumeration
  • Credential harvesting (e.g. LSASS dumping)
  • Lateral movement across the network

 

The use of Cobalt Strike significantly enhances the attackers’ ability to conduct these operations while maintaining stealth.

 

 

Impact

The targeting of government entities and software-related organisations suggests a potential focus on information gathering and long-term access. However, the reliance on widely known vulnerabilities also indicates that any organisation with exposed and unpatched systems may be at risk.

 

This highlights that even advanced attack chains often begin with basic security gaps, such as missing patches or exposed services.

 

 

Security Recommendations

  1. Prioritise patching of internet-facing systems

Organisations should urgently review and patch all publicly exposed systems, particularly those affected by the CVEs listed above.

 

  1. Reduce internet exposure of critical services

Where possible, restrict access to administrative interfaces and enterprise services using VPN, IP allowlists, or zero-trust access models.

 

  1. Monitor exploitation and scanning attempts

Implement monitoring and alerting for suspicious requests targeting known vulnerable endpoints, as well as scanning activity against exposed services.

 

  1. Detect webshell and abnormal command execution

Monitor for unusual command execution patterns, especially originating from web servers or application processes.

 

  1. Identify suspicious use of legitimate binaries

Pay attention to abnormal execution of system binaries such as SystemSettings.exe from non-standard locations.

 

  1. Strengthen credential protection

Implement controls such as MFA, least privilege access, and protections for credential storage to mitigate post-compromise risks.

 

 

Conclusion

The StrikeShark campaign demonstrates that attackers continue to rely heavily on known vulnerabilities in exposed systems as an entry point. While the malware itself employs advanced techniques such as in-memory execution and API manipulation, the success of the attack often depends on unpatched or misconfigured services.

 

Organisations should treat vulnerability management and exposure reduction as critical components of their security strategy, as these measures can effectively disrupt the attack chain at its very first stage.

 

 

Reference Link