SharkLoader Uses Perfect DLL Hijacking to Deploy Cobalt Strike Across 11 Countries
SharkLoader campaign exploited eight public CVEs to install Cobalt Strike via novel DLL hijacking on entities in eleven countries. Evidence shows opportunistic Chinese-speaking operators using GitHub PoCs and open-source post-ex tools without ties to known groups. Pattern suggests rapid expansion to additional exposed servers within weeks.
The campaign chained known remote code execution flaws with web shells and custom droppers masquerading as Google Update or Cisco AnyConnect. Once resident, SystemSettings.dll performed Perfect DLL Hijacking to decrypt DscCoreR.mui, then used MinHook and Microsoft Detours hooks on VirtualAlloc and Sleep to stage Cobalt Strike in a suspended thread. Open-source tools FScan and Pillager appeared in post-exploitation phases.
Victim list spans diplomatic entities, national governments, and software firms across Hong Kong, Lebanon, Syria, Nepal, and Serbia. No infrastructure overlaps with documented Chinese groups were found, yet consistent use of GitHub-hosted PoCs and Chinese-language tooling points to opportunistic contractors rather than state tasking. This matches patterns seen in prior campaigns that pivoted from public exploits to Cobalt Strike within hours of disclosure.
The absence of zero-days and reliance on 2016-2025 CVEs indicates the operators prioritize speed of deployment over stealth. Continued monitoring of public PoC repositories will likely surface the next wave of targets before attribution solidifies.
SENTINEL: At least three additional government victims in East Asia will be publicly reported within 45 days as operators integrate new Fortinet and Cisco PoCs.
Sources (3)
- [1]Kaspersky StrikeShark Analysis(https://securelist.com/strikeshark-sharkloader-cobalt-strike/)
- [2]The Hacker News Coverage(https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html)
- [3]Elliot Killick Perfect DLL Hijacking Research(https://elliotkillick.com/perfect-dll-hijacking/)