Published on July 3, 2026
SharkLoader Malware Uses Perfect DLL Hijacking to Execute Cobalt Strike in Memory
Severity
Medium
Researchers have identified a malware campaign involving SharkLoader, a custom loader used by an intrusion cluster tracked as StrikeShark to deploy Cobalt Strike Beacon entirely in memory. The campaign targets exposed internet-facing systems and employs multiple stealth techniques to minimize forensic evidence while maintaining long-term access to compromised environments.
How?
The attack begins by exploiting publicly known vulnerabilities affecting internet-facing services, including Microsoft Exchange, SharePoint, Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra. Threat actors also distribute custom droppers disguised as legitimate software, such as Cisco AnyConnect and Google Update, to gain initial access.
Following initial compromise, SharkLoader abuses trusted Windows binaries through DLL sideloading. In a common scenario, legitimate signed executables such as SystemSettings.exe are used to load a malicious SystemSettings.dll, allowing the malware to execute under the context of trusted Windows processes.
The malware employs a multi-stage encrypted loader that decrypts and executes each stage directly in memory without writing recognizable payloads to disk. The final stage reflectively loads Cobalt Strike Beacon into memory, reducing the effectiveness of signature-based detection and limiting forensic artifacts.
Researchers also observed the use of Perfect DLL Hijacking, a technique that manipulates Windows loader structures to create malicious execution threads while avoiding typical DLL loading artifacts. Additional evasion capabilities include reflective loading, API hooking, Event Tracing for Windows (ETW) interference, PPID spoofing, custom encryption, and dynamic memory protection adjustments, making detection by endpoint security solutions significantly more challenging.
Persistence is achieved through various mechanisms, including scheduled tasks, registry Run keys, and SYSTEM-level scheduled jobs. Following successful compromise, attackers typically perform reconnaissance, Active Directory enumeration, credential theft, LSASS dumping, NTDS extraction, and lateral movement using Cobalt Strike Beacon alongside publicly available offensive tools.
Victims include government organizations, diplomatic entities, software development companies, and other sectors across Asia, Europe, the Middle East, and Latin America. Although some tooling contains characteristics associated with Chinese-speaking developers, researchers found insufficient evidence to confidently attribute the campaign to a specific threat actor or nation-state.
Recommendations
Organizations and users are advised to take the following precautions to reduce exposure to this threat:
- Apply security updates promptly to internet-facing systems and remediate known vulnerabilities.
- Monitor for suspicious DLL sideloading activity, particularly involving legitimate Windows executables such as SystemSettings.exe.
- Review systems for indicators of in-memory malware execution and abnormal process behavior associated with reflective loading.
- Implement behavioral monitoring capable of detecting API hooking, Event Tracing for Windows (ETW) interference, and other advanced evasion techniques.
- Investigate unusual scheduled tasks, registry Run entries, and signs of unauthorized lateral movement within the environment.
Source
https://gbhackers.com/sharkloader-malware-uses-dll-hijacking/
