Date: 06/25/2026
Severity: High
Summary
Researchers discovered a previously undocumented malware loader named SharkLoader while investigating activity targeting a diplomatic organization in Indonesia. The malware is designed to deploy Cobalt Strike Beacon and has been delivered through the exploitation of internet-facing applications such as Microsoft Exchange, SharePoint, and Openfire Server, as well as malware-based infection chains. Related activity was observed across multiple countries and sectors, including government entities and software development organizations, indicating a broad and geographically diverse campaign. Tracked as StrikeShark, the operation currently lacks sufficient evidence for definitive attribution, although it utilizes several post-compromise tools commonly associated with Chinese-speaking developers.
Indicators of Compromise (IOC) List
Domains/URLs: | connect-microsoft.com ms-record.com ms-record.top ms-tray.top |
Hash: | C559CC68986933200FD5D9E4388E2F58
B3352B42432DEDC4A519F011DC8B5D5A
24FCEBDEECBA65004FDB0923763D74FD
9C872A0D5D5A38950E8B9AC9B488BE3F
AA3086BE652C8B20B0B29B2730D57119
A514D1BB62D7916475946FE7C07AC0AA
9CBD560F820C95D7C38342CD558CB5C6
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "harivo.vip" or url like "harivo.vip" or siteurl like "harivo.vip" |
Detection Query 3 : | md5hash IN ("B3352B42432DEDC4A519F011DC8B5D5A","9C872A0D5D5A38950E8B9AC9B488BE3F","24FCEBDEECBA65004FDB0923763D74FD","C559CC68986933200FD5D9E4388E2F58","AA3086BE652C8B20B0B29B2730D57119","A514D1BB62D7916475946FE7C07AC0AA","9CBD560F820C95D7C38342CD558CB5C6")
|
Reference:
https://securelist.com/strikeshark-campaign/120326/