New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan,

The article reports Kaspersky’s discovery of the StrikeShark campaign, in which threat actors use a new SharkLoader malware family to deploy Cobalt Strike Beacon via exploitation of internet-facing applications (e.g., Exchange/ProxyLogon, Openfire, GeoServer) and droppers masquerading as legitimate installers like Google Update or Cisco AnyConnect.[1][2][5] The campaign targets government, diplomatic, and software development organizations across Asia, Latin America, and Europe, leveraging DLL side-loading, API hook installation, and encrypted modules for stealthy command-and-control, reconnaissance, lateral movement, and data exfiltration.[2][3][5] From a CyberSE.AI perspective, this reflects sophisticated non-AI malware but is highly relevant to AI security because similar tradecraft (living-off-the-land tooling, masquerading installers, exploit chains against exposed services) can be repurposed to compromise AI infrastructure, model hosts, and agent runtimes, then abuse Cobalt Strike-like tooling for persistent access to AI systems and training data. Organizations should apply continuous red teaming against AI-related infrastructure, integrate CISO-level oversight to