Sentinel Brief

SharkLoader's Cobalt Strike Attack Leaves No File on Disk

computer monitor displaying red security alert and malware detection code - a close up of a computer screen with many lines

Photo by Markus Spiske on Unsplash

Key Takeaways
  • SharkLoader, identified by Kaspersky in June 2026 as part of the StrikeShark campaign, targets diplomatic and government entities across nine countries — executing entirely in memory so no payload file ever lands on disk for scanners to find.
  • The campaign exploits three known, patched CVEs: CVE-2021-26855 (Exchange ProxyLogon), CVE-2023-32315 (Openfire), and CVE-2024-36401 (GeoServer) — plus fake Cisco AnyConnect and Google Update installers as secondary delivery.
  • Post-compromise activity covers the full lateral-movement playbook: Active Directory enumeration, LSASS credential dumping, and NTDS database theft — putting every credential in the environment at risk.
  • As of July 3, 2026, according to Swif AI research, a single malware-as-a-service loader accounted for 45.61% of all malware-related incidents in 2025 — loader-based attacks now dominate the threat landscape, and SharkLoader represents the technique's leading edge.

The Threat: A Loader That Lives Entirely in Memory

45.61%. That is the share of all malware-related incidents in 2025 attributed to a single malware-as-a-service loader — Bunny Loader — according to research published as of July 3, 2026 by Swif AI. That statistic reframes the entire endpoint detection conversation: when nearly half of incidents trace back to one loader family, the loader is the weapon, not merely the delivery mechanism. SharkLoader, newly documented as the centerpiece of the StrikeShark campaign, takes that philosophy further than most.

According to reporting by Cyberpress.org, Kaspersky's Global Research and Analysis Team (GReAT) identified SharkLoader in June 2026 targeting diplomatic organizations in Indonesia, government agencies in Taiwan, and additional entities across Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The geographic scope signals a well-resourced threat actor — this is not opportunistic spray-and-pray credential abuse; it is targeted espionage with geopolitical purpose.

The technical architecture is what gives SharkLoader its staying power. The loader exploits how Windows loads dynamic-link libraries through a method researchers call Perfect DLL Hijacking, injecting malicious code into a legitimate process while circumventing Windows Loader Lock (a kernel-level safeguard designed to prevent concurrent DLL loading conflicts). Every execution stage runs in memory. No payload file ever touches the filesystem. When the attack chain completes, the final stage — a Cobalt Strike Beacon, the commercial penetration-testing tool that has become the post-exploitation framework of choice for nation-state actors and ransomware groups alike — exists solely as decrypted shellcode in RAM, assembled through multi-stage Blowfish decryption. Traditional antivirus has nothing to scan.

Blast Radius: Who's Actually Inside the Kill Zone

Two infection vectors define this campaign's reach. The first is server-side exploitation. Kaspersky GReAT stated directly: "The attackers used exploitation of vulnerabilities in internet-facing applications such as Microsoft Exchange, Microsoft SharePoint, and Openfire servers." SharkLoader's operators walked through three specific doors: CVE-2021-26855, the Exchange ProxyLogon flaw patched in March 2021; CVE-2023-32315, an Openfire authentication bypass patched June 2023; and CVE-2024-36401, a GeoServer remote code execution flaw patched July 2024. No zero-days required. Every one of these has a vendor patch that organizations have had years — in some cases, over five years — to deploy.

The second vector is social engineering. Malicious droppers disguised as Cisco AnyConnect and Google Update installers give the campaign a foothold on endpoints where server-side exploitation is blocked. As of July 3, 2026, according to Astra Security research, 94% of all malware is delivered via email — primarily through phishing messages with malicious attachments or links. A security awareness gap around fake software updates remains one of the most exploitable weaknesses in the human layer of any defense stack.

Once inside, the post-compromise sequence is methodical: Active Directory enumeration, LSASS process memory dumping (targeting the Windows component that handles authentication tokens), NTDS database theft (the Active Directory store that holds every user credential in the domain), and deployment of open-source reconnaissance tools — FScan, Searchall, and Pillager — that researchers note are commonly associated with Chinese-speaking developers. This is full domain compromise, not a smash-and-grab.

The evasion stack compounds the problem. According to PolySwarm's analysis: "The loader consists of multiple encrypted stages that decrypt and execute entirely in memory before deploying Cobalt Strike Beacon, incorporating reflective loading, custom encryption routines, packed payloads, and staged execution to minimize forensic artifacts." Beyond that, security researchers documented that SharkLoader "redirects numerous Windows APIs to direct system calls generated at runtime, interferes with Event Tracing for Windows (ETW) logging, performs PPID spoofing, and dynamically modifies memory protections surrounding the embedded Cobalt Strike Beacon during sleep intervals." ETW interference means the standard Windows logging pipeline is intentionally blinded. PPID spoofing (making a malicious child process appear to have been spawned by a trusted parent) defeats process-tree analysis in many SIEM platforms. This is a purpose-built evasion architecture, not a loader that stumbled into a gap.

2026 Threat Landscape: Key Attack Vector Rates% Share94%Malware viaEmail79%Stolen CredsInitial Access45.61%Single Loader(Bunny Loader, 2025)

Chart: As of July 3, 2026, three attack-vector rates defining the current threat landscape — sourced from Swif AI and Astra Security research. Note that as of July 3, 2026, according to Swif AI, 79% of initial access in 2026 now uses stolen credentials rather than traditional malware delivery, while loader-based attacks dominate the malware category itself.

The Defense Stack That Changes the Math

SharkLoader targets three specific gaps in conventional defenses: in-memory execution (no file for antivirus to scan), ETW interference (no Windows event logs to trigger SIEM alerts), and PPID spoofing (process tree appears legitimate). A defense stack architected for file-based threats fails against all three. Layered controls close each gap.

Tech controls — memory scanning first. Endpoint detection and response (EDR) platforms with memory integrity scanning — CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint — detect Cobalt Strike Beacon shellcode in RAM by watching execution patterns and API call sequences rather than file signatures. The critical caveat: many organizations have EDR deployed but have not enabled the in-memory scanning modules, which often ship in higher licensing tiers or require explicit configuration. Check that configuration today.

Windows Defender Credential Guard, when enabled, isolates the LSASS process inside a virtualization-based security boundary, blocking the direct memory access that credential dumping depends on. This is a compensating control that limits post-compromise blast radius even if the Beacon runs successfully — the attackers can maintain a C2 channel but cannot pull credential hashes from LSASS.

Process controls — software allowlisting. Application allowlisting (a policy that only permits approved, signed executables to run) directly breaks the fake-installer delivery vector. A malicious Cisco AnyConnect dropper cannot execute if the policy blocks unsigned or unrecognized software. When paired with a managed software distribution workflow, the social engineering vector loses its teeth without requiring any security awareness training to be perfect — which it never will be.

Detection — threat intelligence integration. Cobalt Strike C2 infrastructure has identifiable TLS certificate fingerprints and heartbeat timing patterns that network detection and response (NDR) tools flag even when the endpoint-side beacon evades scrutiny. Open-source threat intelligence feeds tracking active Cobalt Strike C2 servers are available through projects maintained by the security research community. This same behavioral anomaly detection — the kind that the AI Agents Daily analysis of MCP Tool Poisoning highlighted as critical for catching lateral movement in AI-era attack chains — is what surfaces Active Directory enumeration activity immediately after initial compromise.

The arms race context matters here. As of July 3, 2026, according to Swif AI research, AI-generated script execution during cyberattacks rose 134% year-over-year from 2024 to 2025 — the fastest-growing threat tactic category tracked. Defenders who rely exclusively on signature databases built before 2023 will not win this engagement.

Ship This Control Today

One action. Not thirty.

Audit which systems in your environment are running Openfire, GeoServer, or any Exchange deployment below the March 2021 patch level — and remove internet-facing exposure for any unpatched instance before end of business today. These three CVEs are the literal front door in the StrikeShark campaign. No novel exploitation required; this threat actor walks through doors that should have been bolted years ago. If your incident response runbook does not include a quarterly check for unpatched internet-facing application servers, this campaign is the reason to add one.

As of July 3, 2026, according to StationX research, 560,000 new and distinct malware threats are identified daily worldwide. The patch backlog problem is not abstract — it is the reason campaigns like StrikeShark succeed despite using five-year-old vulnerabilities as their primary entry point. Data protection begins with the unglamorous work of maintaining patch currency on internet-exposed applications.

My read: the targeting pattern here — diplomatic missions and government agencies across nine countries — signals nation-state infrastructure. But I would argue that assessment should not make commercial organizations comfortable. Cobalt Strike is a dual-use framework, and once a loader's evasion stack is validated against hardened government targets, the technique migrates downstream to ransomware affiliates within months. The in-memory execution techniques that SharkLoader demonstrated will appear in commodity ransomware toolkits before year end. Ship the patch. Audit the EDR memory scanning configuration. Add Credential Guard to your hardening baseline. In that order, and before the technique commoditizes.

Frequently Asked Questions

What is SharkLoader malware and how does it bypass standard antivirus detection?

SharkLoader is a multi-stage malware loader discovered by Kaspersky in June 2026 as the primary tool in the StrikeShark espionage campaign. It uses Perfect DLL Hijacking — exploiting how Windows loads library files — to inject malicious code into a legitimate running process while bypassing Windows Loader Lock (a kernel safeguard preventing concurrent library loading conflicts). Every execution stage decrypts and runs in memory through embedded Blowfish keys, assembling a Cobalt Strike Beacon entirely in RAM with no payload file written to disk. Because traditional antivirus relies on scanning files and matching signatures, a payload that never touches the filesystem evades most standard defenses. It additionally interferes with Windows Event Tracing (ETW), the built-in logging mechanism, to suppress the log entries that SIEM platforms would otherwise alert on.

How can security teams detect in-memory Cobalt Strike Beacon infections like the ones SharkLoader deploys?

Modern EDR platforms including CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint include memory integrity scanning modules that detect shellcode execution patterns, suspicious API call sequences, and Cobalt Strike's characteristic beacon heartbeat behavior even when no file exists on disk. At the network layer, Cobalt Strike C2 traffic carries identifiable TLS certificate fingerprints and timing patterns that network detection and response tools flag. Enabling Windows Defender Credential Guard limits the blast radius if a beacon does execute successfully — it prevents direct LSASS memory access, blocking the credential dumping step the StrikeShark campaign depends on for lateral movement. Integrating active threat intelligence feeds tracking known Cobalt Strike infrastructure into your SIEM is an additional compensating control.

Which specific CVEs does the StrikeShark campaign exploit, and how long have patches been available?

The StrikeShark campaign exploits three distinct vulnerabilities, all with available vendor patches: CVE-2021-26855, the Microsoft Exchange ProxyLogon remote code execution flaw (patched March 2021, now over five years old); CVE-2023-32315, an Openfire authentication bypass vulnerability (patched June 2023); and CVE-2024-36401, a GeoServer remote code execution flaw (patched July 2024). The campaign additionally distributes malicious droppers disguised as Cisco AnyConnect and Google Update installers for environments where server-side exploitation is blocked. No zero-day vulnerabilities are required — this campaign succeeds entirely through patch backlog and social engineering, which means patch currency on internet-facing applications is the primary defensive action available.

Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Statistics and findings cited reflect publicly available research; always verify current data with primary sources. Always consult with a qualified cybersecurity professional for your organization's specific needs. Research based on publicly available sources current as of July 3, 2026.