Hackers Use Fake Cisco AnyConnect and Google Update Installers to Drop SharkLoader

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Cybersecurity researchers have uncovered a new malware loader called SharkLoader that is quietly slipping into networks by hiding inside fake software installers.

The tool has been spotted delivering Cobalt Strike Beacon, a well known post exploitation framework, onto compromised machines.

The campaign blends old fashioned trickery, disguising malware as trusted programs, with advanced evasion engineering underneath.

The attackers, tracked under the cluster name StrikeShark, are not relying on a single way into a network.

They exploit known flaws in software such as Microsoft Exchange, SharePoint, Fortinet appliances, and Cisco IOS XE, while also handing out droppers that pretend to be tools like Cisco AnyConnect and Google Update.

This dual approach lets them reach victims without building new exploits.

PolySwarm said in a report shared with Cyber Security News (CSN) that their research shows the malware is not a simple downloader but a carefully staged loader built to avoid detection at every step.

It decrypts and runs almost entirely in memory, leaving little trace for antivirus tools to catch.

Confirmed victims span government bodies, diplomatic missions, and software firms across Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.

This spread suggests the operators are casting a wide net rather than chasing one target. Even so, the concentration of hits on diplomatic and government networks has raised questions about intelligence gathering motives.

Hackers Use Fake Cisco AnyConnect and Google Update Installers

The most eye catching part of this campaign is how it uses trust against victims. By packaging SharkLoader inside installers branded to look like Cisco AnyConnect or Google Update, the attackers exploit the instinct to click familiar update prompts without a second thought.

Once launched, these fake installers quietly plant the loader while the victim believes they are updating legitimate software.

From there, SharkLoader abuses DLL side loading, most often by hijacking a genuine Windows program named SystemSettings.exe to load a malicious file called SystemSettings.dll.

Since the visible process is a real, signed Windows component, security tools relying on file reputation alone will not flag anything unusual.

Researchers also found the malware using Perfect DLL Hijacking, which manipulates internal Windows loader behavior to launch malicious threads while dodging safety locks.

Layers of Evasion and What Comes Next

SharkLoader does not stop at getting in quietly, it also works hard to stay hidden afterward. The malware hooks numerous Windows API calls and redirects them to raw system calls generated on the fly, helping it slip past tools watching for suspicious behavior.

It also tampers with Event Tracing for Windows logging and spoofs parent process IDs, blending its activity into normal system noise.

To stick around, the operators set up persistence through scheduled tasks that run every five minutes, registry run keys, and additional scheduled tasks running with SYSTEM level privileges.

They then move to reconnaissance, Active Directory enumeration, credential theft, LSASS memory dumping, and extraction of the NTDS database, classic steps toward controlling a network.

Cobalt Strike Beacon and several open source post exploitation tools are then used to move laterally between systems.

Researchers note with low to medium confidence that some tools used in this campaign appear to have been built by Chinese speaking developers, though no solid links tie StrikeShark to a previously known group.

That attribution gap means defenders should treat this as a distinct threat rather than folding it into assumptions about a familiar actor.

PolySwarm recommends that organizations prioritize patching internet facing applications and network appliances quickly, since exploitation of known flaws remains the main entry point here.

Security teams should also watch for unusual DLL side loading behavior and hunt for signs of in memory execution instead of depending only on static signatures.

Continued monitoring for behavioral indicators is essential, since the malware is engineered to slip past conventional detection.

Type Indicator Description
SHA256 Hash 6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186 Sample of a fake installer associated with SharkLoader delivery activity 
Filename SystemSettings.exe Legitimate Windows binary abused for DLL side loading 
Filename SystemSettings.dll Malicious DLL loaded through the side loading technique 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.