{"id":13859,"date":"2026-06-25T10:03:39","date_gmt":"2026-06-25T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/25\/hackers-use-cisco-anyconnect-and-google-update-lures-to-drop-sharkloader-malware\/"},"modified":"2026-06-25T10:03:39","modified_gmt":"2026-06-25T10:03:39","slug":"hackers-use-cisco-anyconnect-and-google-update-lures-to-drop-sharkloader-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/25\/hackers-use-cisco-anyconnect-and-google-update-lures-to-drop-sharkloader-malware\/","title":{"rendered":"Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware"},"content":{"rendered":"<p>    Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly discovered malware family is making its way onto systems worldwide by hiding inside fake software installers that look completely legitimate. <\/p>\n<p class=\"wp-block-paragraph\">Researchers have identified a campaign where attackers disguise their malicious tools as trusted programs like Cisco AnyConnect and Google Update, tricking users into running them without suspicion. <\/p>\n<p class=\"wp-block-paragraph\">Once the file is executed, a custom loader called SharkLoader quietly installs itself in the background.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign has a wide reach. Victims have been confirmed across Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. <\/p>\n<p class=\"wp-block-paragraph\">Targets include government agencies, diplomatic bodies, and software development firms, suggesting the attackers have both strategic and opportunistic goals in mind.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/securelist.com\/strikeshark-campaign\/120326\/\" id=\"https:\/\/securelist.com\/strikeshark-campaign\/120326\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Analysts at\u00a0Securelist\u00a0identified the malware and published a detailed report<\/a> shared with Cyber Security News (CSN), calling the broader campaign \u201cStrikeShark.\u201d <\/p>\n<p class=\"wp-block-paragraph\">Researchers say SharkLoader is designed to load and execute a well-known hacking tool called Cobalt Strike Beacon onto compromised machines, giving attackers deep remote access and control.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEik1XOzDmNcJNI-Kh_e8M7jT7O8iW3b55iNgAcqRL22XyPz1gMrzeqDnEQsfmqN0IQuihbJr91QcV8SGXqQla9WXcXdtn2YSkXt6Gmv8HQVl5oPJoEvdtKbcYexOEkrdWOzeyvykjtajFNcB_u-OfCBpBJu-_V5O6h-yZEqSwye1o1lXseuEp1KpZf5Ld8\/s16000\/Malicious%2520Cisco%2520Secure%2520Client%2520installer%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\" alt=\"Malicious Cisco Secure Client installer (Source - Securelist)\"><figcaption class=\"wp-element-caption\">Malicious Cisco Secure Client installer (Source \u2013 Securelist)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The threat actor behind this campaign exploits a range of vulnerabilities in widely used enterprise software to break into target networks. <\/p>\n<p class=\"wp-block-paragraph\">These include known flaws in Microsoft Exchange, Microsoft SharePoint, Fortinet FortiOS, and Cisco IOS XE, among others. Researchers assess with medium confidence that the group relies on publicly available exploit code, making the activity largely opportunistic.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Attribution remains preliminary, as the researchers note that several post-exploitation tools observed in the campaign, including FScan, Searchall, and Pillager, were developed by Chinese-speaking individuals. <\/p>\n<p class=\"wp-block-paragraph\">However, no confirmed link to any <a href=\"https:\/\/cybersecuritynews.com\/iranian-hacking-group-apt42-attack-whatsapp-users\/\" id=\"76097\" target=\"_blank\" rel=\"noreferrer noopener\">known hacking group has been established<\/a>, and investigators continue to look into the campaign\u2019s full scope.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-hackers-use-cisco-anyconnect-and-google-update-lures\" class=\"wp-block-heading\"><strong>Hackers Use Cisco AnyConnect and Google Update Lures<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">One of the most notable delivery methods in this campaign involves fake software installers that look identical to the real thing. <\/p>\n<p class=\"wp-block-paragraph\">In one analyzed sample, the <a href=\"https:\/\/cybersecuritynews.com\/cisco-anyconnect-vpn-server-vulnerability-2\/\" id=\"111617\" target=\"_blank\" rel=\"noreferrer noopener\">dropper contained a genuine Cisco AnyConnect VPN<\/a> installer compressed inside it. <\/p>\n<p class=\"wp-block-paragraph\">When the victim ran the file, the real installer launched and completed normally, creating a convincing illusion that nothing suspicious had happened.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">While that process played out, SharkLoader components were silently written to hidden directories in the background. The dropper also used files named GoogleUpdateStepup.exe and AutoUpdate.exe to appear as routine update utilities. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4QpZhoOEkwMYL5BjdNzgz4joknHQT_A3TDAPNGT69KI1gk2euCd0SFdo3v1CjNeHG31X9MIryjC8fKmQjh6DW820KvKDZZ0LM808rFMOHlBhawO7u2eVbkgrEiwiGYcOCiquJzeEMlUrKIkKgf19ylcEMh7ZmDG2xnyqVUrppfFQKp7qBE5GOt19syhE\/s16000\/The%2520dropper%2520extracts%2520SystemSettings.dll%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\" alt=\"The dropper extracts SystemSettings.dll (Source - Securelist)\"><figcaption class=\"wp-element-caption\">The dropper extracts SystemSettings.dll (Source \u2013 Securelist)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Some samples additionally dropped decoy PDF documents on the victim\u2019s machine as a distraction while the malware installed itself quietly.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">After dropping its components, the malware created two Windows scheduled tasks to maintain persistence. <\/p>\n<p class=\"wp-block-paragraph\">The first task ran every five minutes, ensuring the loader stayed active over time. The second fired every second immediately after deployment, then was removed after about 1.5 seconds, likely to guarantee SharkLoader launched right away.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-sharkloader-s-multi-stage-execution-and-evasion-methods\" class=\"wp-block-heading\"><strong>SharkLoader\u2019s Multi-Stage Execution and Evasion Methods<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">SharkLoader uses a multi-component structure to avoid detection. <a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponize-legitimate-windows-tools\/\" id=\"146250\" target=\"_blank\" rel=\"noreferrer noopener\">It relies on DLL sideloading, where a legitimate Windows application<\/a> called SystemSettings.exe is copied to a new location and used to load a malicious file named SystemSettings.dll. <\/p>\n<p class=\"wp-block-paragraph\">From there, the loader decrypts and executes additional encrypted modules entirely in memory, never writing the final payload to disk.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">One of those modules, DscCoreR.mui, is decrypted using a Blowfish cipher and contains the Cobalt Strike Beacon shellcode.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjx7zZv8dYsQBMrA5WrxofxY9wlGVlmyUJE-th8MMNYLP3xZxSqzegiagXNzQ-z_xNSH-7XlyTCaxaocEGj36rjuSrKU0ExpYBSV6an6ytHeY5kGAj8o4j1F8AlaCHTlZM5IgeiQfg2IJfQnVSDrBJqgnFjm0B26nzLB2CelgfQppP6twrH95FtytT4OiY\/s16000\/SharkLoader%2520infection%2520chain%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\" alt=\"SharkLoader infection chain (Source - Securelist)\"><figcaption class=\"wp-element-caption\">SharkLoader infection chain (Source \u2013 Securelist)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Another module, SyncRes.dat, uses AES-128 encryption and installs numerous Windows API hooks designed to bypass security monitoring. These hooks redirect system calls through custom stubs, making the malware far harder to detect.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign also hooks Windows event logging functions such as EtwEventWrite and EventWrite, forcing them to return empty values and blinding any monitoring tools that rely on system logs. <\/p>\n<p class=\"wp-block-paragraph\">Researchers observed parent process ID spoofing as well, making malicious child processes appear as if they were launched by the legitimate svchost.exe process.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">After gaining a foothold, <a href=\"https:\/\/cybersecuritynews.com\/llm-based-lamehug-malware-dynamically-generate-commands\/\" id=\"128113\" target=\"_blank\" rel=\"noreferrer noopener\">attackers ran reconnaissance commands, dumped credentials<\/a> from the LSASS process, and used ntdsutil to extract Active Directory password hashes. <\/p>\n<p class=\"wp-block-paragraph\">These steps allowed the attacker to move through the network and escalate privileges. Organizations are strongly advised to patch internet-facing applications, monitor scheduled task creation, and deploy endpoint tools capable of detecting in-memory threats.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/24b56661-507b-42b3-95fd-f03127e41d48\/Hackers-Use-Cisco-AnyConnect-and-Google-Update-Lures-to-Drop-SharkLoader-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEV5LGNW2I&amp;Signature=slW6b%2FMJRKWTOPBI1Bgdf8xZzgU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEH8aCXVzLWVhc3QtMSJIMEYCIQD%2FJk1gZ8F1wjDxJyRlcpdfJs9zu0f7M6GIJB9axPLbIgIhAL%2BN4wDae0ZUQ9UZkmUBzRV6UioDCRPsIpMZTCKmfegeKvMECEgQARoMNjk5NzUzMzA5NzA1Igym%2FegXjGmHp2pVOiMq0ASpu0%2BP5g1t9xsS5qBbQEcYN%2Bi8%2BscVL50ixCwUa0g2zoU9I8l7fhhfpRTLWMWWM9%2BHxaF1EzzUW6HFpcUwkXyX8Y2jqC%2BmdscsgVDsDtURqHKFN8FCZdY5tgsvROrzT3OIvmjn6zSvFd2T9tUIdGaPt2R1e0sFcnXCaa2tHR7OMppb%2FV130QefS1mIGblqWz2wZRhd5ELNjMMgIQJ0H1X8mGN0uZZBpj3BMolCxn6br4WEx78DO3p5Abl6wJBZ3OPUrch03lCIGoFM7jUNDDOgWFeCR6UYm%2Bx1XSZ%2BeuAOck2dnJtWbBqtXt4rRHMzbZI3Nwb4ucYV3Zp%2F%2Ba6N47mau%2FlBbpmyJNddGbm9oxDYnnsCdpznh3JlCMYwyHRKDNqoJRRblkYkOS3OyDYWlt6MkVEHE%2FDMweU3NoUQCcZ0P4lX9jK1pcviAiDxgv6GrfF3wjAtTW1ysrMQf2mOkWxr7aIS7KKxp6N1%2BWmJ3JOax7lHPyq7r4MrNrgT8z3KK5GkJSsJ1mEWtZpB0NIr16AavBikELaWt50zjFbgZVHHhYkIdo4e1cO2VrgQg21CEFp63Y4IsWxZ2UaWBkCN%2B0jO8k768qs9r5J6hNEs9LBV3yenAF2clG1fBudNyzk61YiBctozP%2FMzW2dN%2BqL3Dmn4zStDjoiPa1u708t7m92AWe3oHnGEJZtAb2kq7KTv1%2FoC4RajJZGo%2Fe7LCBh%2FAvzXo%2FloZUdvwu%2F6uDskR7V7r7IDqb01GIh9y7HPPSh3LZZPX7KgXopfMXyvksPTGPDSMM%2Bi89EGOpcBlB2oOyNABgKHQ80LWtrj3dS%2BZOpopWx3bbxmscOnXxqH9tUIH%2BR%2BW6SJ8SC39MFGowGjrbwf0fhlrTmLysRomK78WVSMGxxEov4grTU0ESb5VK2drRrYfUSOEKlQpd%2FuPNXkpA%2B%2FOwxWEfrDTFJT6ArdVSVfAhTjFspJOkDD%2Ba3yebwCVpQVKmAJ1Qy8yyS4Q3sxtRP5Qw%3D%3D&amp;Expires=1782374178\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>MD5 Hash<\/td>\n<td>C559CC68986933200FD5D9E4388E2F58<\/td>\n<td>Installer<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>B3352B42432DEDC4A519F011DC8B5D5A<\/td>\n<td>Dropper<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>24FCEBDEECBA65004FDB0923763D74FD<\/td>\n<td>Dropper<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>9C872A0D5D5A38950E8B9AC9B488BE3F<\/td>\n<td>SharkLoader DLL<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>AA3086BE652C8B20B0B29B2730D57119<\/td>\n<td>SharkLoader DLL<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>A514D1BB62D7916475946FE7C07AC0AA<\/td>\n<td>Encrypted file (DscCoreR.mui)<\/td>\n<\/tr>\n<tr>\n<td>MD5 Hash<\/td>\n<td>9CBD560F820C95D7C38342CD558CB5C6<\/td>\n<td>Encrypted file (SyncRes.dat)<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>connect-microsoft[.]com<\/td>\n<td>C2 domain<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>ms-record[.]com<\/td>\n<td>C2 domain<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>ms-record[.]top<\/td>\n<td>C2 domain<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>ms-tray[.]top<\/td>\n<td>C2 domain<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>GoogleUpdateStepup.exe<\/td>\n<td>Malicious dropper lure<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>AnyConnect-win-4.10.04071-predeploy-k9exe<\/td>\n<td>Malicious dropper lure<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>AutoUpdate.exe<\/td>\n<td>Malicious dropper lure<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>SystemSettings.dll<\/td>\n<td>Main SharkLoader DLL<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>DscCoreR.mui<\/td>\n<td>Encrypted module with Cobalt Strike Beacon<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>SyncRes.dat<\/td>\n<td>Encrypted API hook DLL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-cisco-anyconnect-and-google-update-lures\/\">Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-use-cisco-anyconnect-and-google-update-lures\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware A newly discovered malware family is making its way onto systems worldwide by hiding inside fake software installers that look completely legitimate. Researchers have identified a campaign where attackers disguise their malicious tools as trusted programs like Cisco AnyConnect and Google Update, tricking [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13859","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13859"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13859"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13859\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}