SharkLoader loader activity deploying Cobalt Strike Beacon
Malware Activity
Summary
Hide ▲
Show ▼
A newly observed SharkLoader malware operation is staging Cobalt Strike Beacon on compromised Windows hosts, expanding post-compromise control and persistence risk. The loader reaches systems through DLL sideloading and malicious installers, including a `SystemSettings.exe` / `SystemSettings.dll` chain. Some samples use decoy PDF lures and staged components to unpack and launch the beacon. The activity raises exposure for organizations hit through public-facing application exploits and installer-based delivery.
Related Happenings
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
Campaign
H score42
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
How related:
Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
About this happening:
The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
CampaignHow related: Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
About this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical Analysis
H score6
First: 19.12.2025 17:34
Last: 19.12.2025 17:34
Sources 1
About this happening:
A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...
GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical AnalysisAbout this happening: A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...
KONNI AutoIt loader and RAT delivery activity
Malware Activity
H score22
First: 11.11.2025 18:45
Last: 11.11.2025 18:45
Sources 1
About this happening:
**KONNI** operators used a disguised **MSI installer** to drop an **AutoIt loader** that established persistence and fetched additional payloads, raising the impact of the intrusi...
KONNI AutoIt loader and RAT delivery activity
Malware ActivityAbout this happening: **KONNI** operators used a disguised **MSI installer** to drop an **AutoIt loader** that established persistence and fetched additional payloads, raising the impact of the intrusi...
Timeline
-
26.06.2026 21:17 2 articles · 4h ago
Kaspersky tracks StrikeShark campaign deploying SharkLoader and Cobalt Strike
Initial DisclosureKaspersky said the newly tracked StrikeShark campaign uses the previously undocumented SharkLoader malware family to deploy Cobalt Strike Beacon on compromised hosts, with targeting that includes a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies, and other entities across multiple countries. The activity is linked to public-facing application exploitation, malicious installers and droppers, web shells, DLL side-loading through SystemSettings.exe and SystemSettings.dll, and post-compromise reconnaissance and credential theft, while the operators are assessed as likely Chinese-speaking.
Show sources
- New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks — thehackernews.com — 26.06.2026 21:17
- New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks — thehackernews.com — 26.06.2026 21:17