Chinese Threat Actor Scarab Targeting Ukraine

Ukraine CERT (CERT-UA) ties the Chinese threat actor Scarab to UAC-0026, marking one of the first publicly reported Ukraine-targeted operations by a non-Russian APT. The campaign centers on a HeaderTip backdoor delivered via macro-enabled lure documents and a loader, with infrastructure reuse and multiple IOCs described.
#Scarab #HeaderTip #Ukraine #UAC0026

Keypoints

CERT-UA links the intrusions to Scarab APT with high confidence, marking Scarab’s activity in Ukraine since the invasion.
Scarab’s backdoor has evolved from Scieron to HeaderTip, used across multiple campaigns historically.
Initial access relies on phishing emails with lure documents; macro-enabled documents are required to execute the payload.
The loader suite uses a batch file to define a DLL (HeaderTip), establish Run-key persistence, and launch the backdoor.
HeaderTip is a 32‑bit DLL that beaconing emissions to a C2 server via HTTP POST, using a specific user agent.
Scarab frequently uses dynamic DNS services for C2 infrastructure, complicating attribution and IP-based blocking.
Shared infrastructure and design signals link the UAC-0026 activity to Scarab and indicate Chinese-speaking origins with geopolitical intelligence purposes.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – Phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip. “phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.”
[T1204.002] User Execution: Malicious File – The user must enable document Macros to run the loader. “the user must enable document Macros.”
[T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – Persistence set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and then executing HeaderTip. “set persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun”
[T1059.003] Windows Command Shell – The batch file loads and executes the backdoor; batch file content defines the DLL and runs the payload. “The batch file follows a simple set of instructions to define the HeaderTip DLL, set persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and then execute HeaderTip.”
[T1071.001] Web Protocols – C2 communications via HTTP POST to the defined C2 server (beaconing/updates). “beaconing outbound for updates” and “HTTP POST requests to the defined C2 server”
[T1071.004] DNS: Domain Name System – Use of dynamic DNS services to reach C2 infrastructure (dynamic DNS domains). “Scarab has repeatedly made use of dynamic DNS services, which means C2 server IP… should not be considered related.”

Indicators of Compromise

[Domain] C2 servers – dynamic.ddns[.]mobi, product2020.mrbasic[.]com, ebook.port25[.]biz
[Hash] MD5 – 8cfad6d23b79f56fb7535a562a106f6d187f84cf, e7ef3b033c34f2ac2772c15ad53aa28599f93a51
[Hash] MD5 – fdb8de6f8d5f8ca6e52ce924a72b5c50ce6e5d6a, 4c396041b3c8a8f5dd9db31d0f2051e23802dcd0
[File] OfficeLoader artifacts – officecleaner.dat, officecleaner.bat, and officecleaner.dll (HeaderTip)
[Archive] Ukraine-targeting lure – “Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar”, “OSCE-wide Counter-Terrorism Conference 2020.zip”
[Lure Document] UkraineTargeting Lure Document – “Ukraine Targeting Lure Document”, “Joining Instructions IMPC 1.20 .xls”