THE article describes the StrikeShark campaign, involving new malware called SharkLoader, used to deploy Cobalt Strike agents. Initial infections were achieved through exploiting vulnerabilities in public-facing applications such as Microsoft Exchange and SharePoint. SharkLoader uses a combination of dropper-based distribution and DLL hijacking to maintain persistence and facilitate post-compromise activities.
The malware employs sophisticated techniques, including a 'Perfect DLL Hijacking' method and API hooking, to evade detection. Victims include government entities in multiple countries, indicating both opportunistic and strategic targeting, although direct attribution to a specific threat actor remains unclear.