Back to Insights
Threats4 min read27 June 2026

SharkLoader: A Custom-Built Stager Is Planting Cobalt Strike Beacon on Asian Government Networks

Kaspersky researchers tracking a campaign called StrikeShark have identified a previously undocumented loader family dropping Cobalt Strike Beacon on a diplomatic organization in Indonesia and government targets in Taiwan — a targeting profile that points squarely to state-sponsored espionage.

EF
Elena FischerThreat Intelligence Analyst
A photoreal editorial scene of a darkened government operations center in Asia at night, multiple monitors displaying ne

A previously unknown malware loader called SharkLoader is being used to stage Cobalt Strike Beacon against diplomatic and government networks across Southeast and East Asia, with Kaspersky researchers tracking the broader campaign under the name StrikeShark.

What We Know So Far

The confirmed victim list is short but telling. A diplomatic organization in Indonesia and multiple government bodies in Taiwan have been identified. Small, high-value, geopolitically sensitive — that combination separates espionage operations from commodity ransomware crews almost immediately. No formal attribution has been published.

SharkLoader functions as a stager. Its sole operational job is to fetch and execute Cobalt Strike Beacon on a host that has already been compromised through some earlier access method. The initial access vector, persistence mechanism, and command-and-control infrastructure for the Beacon payloads have not been detailed in public reporting as of this writing. Indicators of compromise have not been widely circulated either.

Cobalt Strike itself is not new. Cracked and leaked builds have circulated among threat actors for years, and any Beacon callback on a government network should be treated as a full-host compromise until forensic work proves otherwise. The Verizon 2024 Data Breach Investigations Report found that stolen credentials and exploitation of vulnerabilities together accounted for the majority of breach entry points — Beacon excels at facilitating both once it lands.

Why Build a Custom Loader at All?

This is the question that matters most. Dozens of open-source shellcode loaders already exist on public repositories. A threat actor who invests engineering time in a bespoke delivery component — one that has never appeared in published threat-intel feeds — is almost certainly doing so to defeat specific endpoint detection and response (EDR) coverage or YARA signatures they have already tested against.

That implies one of two things. Either the operators conducted pre-engagement reconnaissance of the target's security tooling, or they wanted longer dwell time than any known-bad loader would provide. Neither possibility is comforting for defenders.

SharkLoader is the visible artifact. It is not the objective. Post-Beacon activity in campaigns with this targeting profile typically includes credential harvesting from mail systems, lateral movement toward domain controllers, and staging for longer-term implants. None of that activity surfaces in loader telemetry alone.

The Control Failures Worth Examining

Two failure modes stand out here, and neither is exotic.

First, EDR policy posture. Memory-scanning capabilities built into modern endpoint agents will catch Beacon's named-pipe patterns, sleep-mask behaviors, and process-injection artifacts — but only when policies are configured for active detection rather than prevention-only mode. Organizations that accept vendor defaults without tuning for their environment are leaving a reliable detection surface unused. Beacon has well-documented staging URI conventions and Malleable C2 profile fingerprints that have been catching real intrusions for years. Turning those detections on costs nothing.

Second, egress visibility from sensitive environments. StrikeShark's victimology — a handful of high-value diplomatic and government targets — suggests the operators are burning short-lived VPS infrastructure on small target sets rather than routing through compromised CDN nodes. That traffic pattern, low-reputation hosting receiving small volumes of outbound connections from privileged workstations or servers, is exactly what DNS and proxy logging is designed to surface. If those logs are not being reviewed against threat-intel feeds, the visibility gap is open.

Organizations operating in the sectors and regions targeted by StrikeShark should also examine whether their staff recognize the social-engineering pretexts that typically precede initial access in diplomatic-targeting campaigns. Spearphishing with region-specific lures remains a primary delivery method for this class of intrusion, and security-awareness training that teaches users to recognize contextually convincing lures is one of the cheapest detection controls available at the human layer.

Practical Hunting Guidance

If you operate in Southeast or East Asia, or support diplomatic and government customers in those regions, here is where to focus:

  • Hunt for Beacon artifacts in memory. Named-pipe handles, reflective DLL load events, and anomalous thread injection into trusted processes are all reliable signals. Tune your EDR memory-scanning policies to alert, not just block.
  • Review outbound connections from high-value hosts. Short-lived VPS nodes, recently registered domains, and hosting providers with poor reputational history are the infrastructure signature to watch for.
  • Treat any novel loader as a deliberate decision. When you encounter an unknown stager, the right question is not just what it drops — it is what the operator does after the Beacon phones home. Credential access and lateral movement to mail and directory systems are the logical next steps in a campaign with this targeting profile.
  • Cross-reference new samples against Kaspersky's StrikeShark reporting. Until broader IOC publication, that remains the primary mapping reference for defenders with regional telemetry.
  • Apply network segmentation between diplomatic workstations and back-end systems. If Beacon lands on an end-user device, segmentation limits the blast radius before lateral movement begins.

What Happens Next

"Expect IOCs to firm up as more victims are identified," is the honest forecast here. Early-stage campaigns with narrow targeting tend to expand before defenders fully characterize the infrastructure. The window between first detection and broad IOC publication is exactly when defenders relying on indicator-matching alone are most exposed.

SharkLoader is a single visible component in what is likely a larger toolkit. The tradecraft investment in building a custom loader signals an operator who expects to run this campaign for a while. Defenders in the affected sectors should treat this as a persistent threat, not a one-off.

Train2Secure will continue to track the StrikeShark campaign as public reporting develops. For organizations assessing their current detection posture, the Train2Secure standards and compliance resources include guidance on aligning endpoint detection policies with frameworks covering targeted intrusion threats.

How to reduce your exposure to loader-based intrusions

  • Audit your EDR policies to confirm memory-scanning and behavioral detection are enabled, not just file-based prevention — Beacon artifacts are reliably caught when those policies are active.
  • Establish DNS and proxy logging on diplomatic and government workstations and review outbound traffic against threat-intel feeds for short-lived VPS nodes and recently registered domains.
  • Train staff in targeted sectors to recognize spearphishing lures with regional and diplomatic themes, which remain the most common initial-access method in campaigns of this type.

Train2Secure's security-awareness modules include scenarios built around targeted spearphishing and social engineering — the human-layer controls that technical tooling alone cannot replace.

Start free — no card required

Frequently asked questions

What is SharkLoader and what does it do?

SharkLoader is a newly identified malware loader — a stager — whose sole function is to fetch and execute Cobalt Strike Beacon on a host that has already been compromised. It has not previously appeared in public threat-intelligence feeds, which suggests it was purpose-built to evade existing detection coverage.

Who are the confirmed targets of the StrikeShark campaign?

Kaspersky has identified a diplomatic organization in Indonesia and government organizations in Taiwan as confirmed victims. The narrow, high-value targeting profile is consistent with state-sponsored espionage rather than financially motivated cybercrime.

Why is a custom loader more dangerous than an off-the-shelf one?

Known open-source loaders have existing YARA signatures and EDR detections written against them. A bespoke loader has no prior detection coverage, giving operators a head start on dwell time. Building one also implies the threat actor tested their tooling against the target's defenses before deploying — a meaningful level of pre-engagement preparation.

What should defenders do right now if they operate in the affected regions?

Tune EDR memory-scanning policies to actively detect Cobalt Strike Beacon artifacts rather than operating in prevention-only mode. Review outbound connections from high-value hosts for traffic to low-reputation or newly registered infrastructure. Cross-reference any unknown loader samples against Kaspersky's StrikeShark reporting until broader IOC publication occurs.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress