Friday, December 8, 2023

Chinese Threat Actor Targeting Ukraine Since the Russian Invasion

For the first time since Russia invaded Ukraine, the Computer Emergency Response Team (CERT-UA) of Ukraine has revealed recently that Chinese threat actors have publicly targeted their systems.

A custom backdoor known as HeaderTip has been linked to a Chinese-speaking threat actor named Scarab (aka UAC-0026), claimed by the cybersecurity analysts at cybersecurity firm SentinelOne.

Scarab has been tracking individuals worldwide since at least 2012. This includes American, Russian, and other targets. A prominent feature of Scieron is its use as a custom backdoor, which is thought to be the precursor to HeaderTip malware used in recent Ukrainian campaigns.

UAC-0026 (aka Scarab)

An alert from CERT-UA noted that a RAR file archive had been delivered:-

  • Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar

The above malicious archive contains an executable file with a lure document that drops the following DLL file and batch file:-

  • DLL file “officecleaner.dat”
  • Batch file “officecleaner”

A similar attack was spotted in September 2020, which CERT-UA named the malicious DLL ‘HeaderTip.’ While the Chinese threat actors have not previously targeted Ukraine publicly until the UAC-0026 activity.

Lure Documents

A Scarab campaign in September 2020 used lure documents titled “OSCE-wide Counter-Terrorism Conference 2020” in order to target Philippines nationals. And the OSCE stands for Organization for Security and Co-operation in Europe.

Reports from CERT-UA linked to a document disguised as a letter from Ukraine’s National Police, which concerned preserving video evidence of Russian military crimes.

Documents obtained through campaigns use Windows operating system and Chinese language settings, and metadata indicates what the original creator used. In addition, the system has been configured with the user name “用户” (user).


The malware has been loaded onto target systems using multiple methods. Loader executables contain PDF, batch installers, and HeaderTip malware, which are accessed via resource data.

As a first stage, the malware appears to be designed to deliver a second-stage payload that is more sophisticated and featured a Russian invasion-linked theme.

By using a batch file, HeaderTip DLL is defined, persistence is set under HKCU/Software/Microsoft/Windows/CurrentVersion/Run, and then HeaderTip is executed.

Several geopolitical intelligence agencies may be using Scarab for their purposes and the recent analysis claims that during the US withdrawal from Afghanistan this group has been observed targeting European diplomats.

Researchers noticed that various operating systems using Chinese language settings were used by the employed lure documents in various Scarab campaigns.

The HeaderTip malware is mainly written in C++, and it’s designed as a 32-bit DLL file that in total weighs around 9.7 KB in size. To fetch subsequent modules from a remote server the HeaderTip malware acts as a first-stage package, whose functionality is limited.

Moreover, the Senior Threat Researcher with SentinelOne, Tom Hegel stated:-

“Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles