A newly discovered malware family is making its way onto systems worldwide by hiding inside fake software installers that look completely legitimate.
Researchers have identified a campaign where attackers disguise their malicious tools as trusted programs like Cisco AnyConnect and Google Update, tricking users into running them without suspicion.
Once the file is executed, a custom loader called SharkLoader quietly installs itself in the background.
The campaign has a wide reach. Victims have been confirmed across Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
Targets include government agencies, diplomatic bodies, and software development firms, suggesting the attackers have both strategic and opportunistic goals in mind.
Analysts at Securelist identified the malware and published a detailed report shared with Cyber Security News (CSN), calling the broader campaign “StrikeShark.”
Researchers say SharkLoader is designed to load and execute a well-known hacking tool called Cobalt Strike Beacon onto compromised machines, giving attackers deep remote access and control.
Malicious Cisco Secure Client installer (Source – Securelist)
The threat actor behind this campaign exploits a range of vulnerabilities in widely used enterprise software to break into target networks.
These include known flaws in Microsoft Exchange, Microsoft SharePoint, Fortinet FortiOS, and Cisco IOS XE, among others. Researchers assess with medium confidence that the group relies on publicly available exploit code, making the activity largely opportunistic.
Attribution remains preliminary, as the researchers note that several post-exploitation tools observed in the campaign, including FScan, Searchall, and Pillager, were developed by Chinese-speaking individuals.
However, no confirmed link to any known hacking group has been established, and investigators continue to look into the campaign’s full scope.
Hackers Use Cisco AnyConnect and Google Update Lures
One of the most notable delivery methods in this campaign involves fake software installers that look identical to the real thing.
In one analyzed sample, the dropper contained a genuine Cisco AnyConnect VPN installer compressed inside it.
When the victim ran the file, the real installer launched and completed normally, creating a convincing illusion that nothing suspicious had happened.
While that process played out, SharkLoader components were silently written to hidden directories in the background. The dropper also used files named GoogleUpdateStepup.exe and AutoUpdate.exe to appear as routine update utilities.
The dropper extracts SystemSettings.dll (Source – Securelist)
Some samples additionally dropped decoy PDF documents on the victim’s machine as a distraction while the malware installed itself quietly.
After dropping its components, the malware created two Windows scheduled tasks to maintain persistence.
The first task ran every five minutes, ensuring the loader stayed active over time. The second fired every second immediately after deployment, then was removed after about 1.5 seconds, likely to guarantee SharkLoader launched right away.
SharkLoader’s Multi-Stage Execution and Evasion Methods
SharkLoader uses a multi-component structure to avoid detection. It relies on DLL sideloading, where a legitimate Windows application called SystemSettings.exe is copied to a new location and used to load a malicious file named SystemSettings.dll.
From there, the loader decrypts and executes additional encrypted modules entirely in memory, never writing the final payload to disk.
One of those modules, DscCoreR.mui, is decrypted using a Blowfish cipher and contains the Cobalt Strike Beacon shellcode.
SharkLoader infection chain (Source – Securelist)
Another module, SyncRes.dat, uses AES-128 encryption and installs numerous Windows API hooks designed to bypass security monitoring. These hooks redirect system calls through custom stubs, making the malware far harder to detect.
The campaign also hooks Windows event logging functions such as EtwEventWrite and EventWrite, forcing them to return empty values and blinding any monitoring tools that rely on system logs.
Researchers observed parent process ID spoofing as well, making malicious child processes appear as if they were launched by the legitimate svchost.exe process.
After gaining a foothold, attackers ran reconnaissance commands, dumped credentials from the LSASS process, and used ntdsutil to extract Active Directory password hashes.
These steps allowed the attacker to move through the network and escalate privileges. Organizations are strongly advised to patch internet-facing applications, monitor scheduled task creation, and deploy endpoint tools capable of detecting in-memory threats.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionMD5 HashC559CC68986933200FD5D9E4388E2F58InstallerMD5 HashB3352B42432DEDC4A519F011DC8B5D5ADropperMD5 Hash24FCEBDEECBA65004FDB0923763D74FDDropperMD5 Hash9C872A0D5D5A38950E8B9AC9B488BE3FSharkLoader DLLMD5 HashAA3086BE652C8B20B0B29B2730D57119SharkLoader DLLMD5 HashA514D1BB62D7916475946FE7C07AC0AAEncrypted file (DscCoreR.mui)MD5 Hash9CBD560F820C95D7C38342CD558CB5C6Encrypted file (SyncRes.dat)Domainconnect-microsoft[.]comC2 domainDomainms-record[.]comC2 domainDomainms-record[.]topC2 domainDomainms-tray[.]topC2 domainFilenameGoogleUpdateStepup.exeMalicious dropper lureFilenameAnyConnect-win-4.10.04071-predeploy-k9exeMalicious dropper lureFilenameAutoUpdate.exeMalicious dropper lureFilenameSystemSettings.dllMain SharkLoader DLLFilenameDscCoreR.muiEncrypted module with Cobalt Strike BeaconFilenameSyncRes.datEncrypted API hook DLL
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware appeared first on Cyber Security News.
