HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

StrikeShark Campaign Deploys Cobalt Strike via SharkLoader Loader Across Global Targets

A new campaign named StrikeShark uses a custom SharkLoader DLL to drop Cobalt Strike beacons after exploiting public‑facing services such as Microsoft Exchange, SharePoint and Openfire. The activity spans diplomatic, government and software‑development organizations worldwide, highlighting a control gap that SOC 2 audit programs must evidence remediation for.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securelist.com

StrikeShark Campaign Deploys Cobalt Strike via SharkLoader Loader Across Global Targets

What Happened – Researchers identified a new threat‑actor campaign, dubbed StrikeShark, that uses a custom loader called SharkLoader to drop a Cobalt Strike beacon on compromised hosts. The initial foothold is gained by exploiting public‑facing applications such as Microsoft Exchange (e.g., CVE‑2021‑26855 ProxyLogon), SharePoint and Openfire, as well as by delivering malicious dropper binaries. Infections have been observed in diplomatic, government and software‑development environments across Indonesia, Taiwan, Hong Kong, the Middle East, South America and Europe.

Why It Matters for Compliance & Audit Readiness

  • The attack exploits unpatched internet‑facing services – a classic control gap that SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) require you to remediate and continuously monitor.
  • Continuous evidence of patch‑management, vulnerability scanning and privileged‑access reviews is essential to demonstrate due diligence during a SOC 2 audit.
  • Mapping the “exploit‑to‑beacon” chain to your control framework provides audit‑ready artifacts (scan reports, remediation tickets, log‑collection) that prove the effectiveness of your security controls.

Who Is Affected – Government & diplomatic bodies, software development firms, SaaS providers, and any organization exposing Exchange, SharePoint or similar web services to the internet.

Recommended Actions

  • Verify that all Exchange, SharePoint and Openfire instances are patched for known CVEs (e.g., CVE‑2021‑26855) and that a vulnerability‑management program is in place.
  • Enable continuous monitoring of inbound traffic to public‑facing services and integrate findings into your SOC 2 control evidence repository.
  • Review and tighten privileged‑access policies; enforce MFA and least‑privilege for accounts that can modify web‑application configurations.

Source: Kaspersky SecureList – StrikeShark Campaign

Technical Notes – The loader leverages a “PerfectDLL Hijacking” technique to inject malicious DLLs, registers a VEH (Vectored Exception Handler) for stealth, and ultimately spawns a Cobalt Strike beacon. Primary attack vectors are VULNERABILITY_EXPLOIT of internet‑facing applications; no specific data exfiltration was disclosed. Source: same as above

📰 Original Source
https://securelist.com/strikeshark-campaign/120326/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →