{
	"id": "4d7537d8-2079-4dfe-acf1-30c25e9f7800",
	"created_at": "2026-04-06T00:19:06.813265Z",
	"updated_at": "2026-04-10T03:36:07.154059Z",
	"deleted_at": null,
	"sha1_hash": "ac00829fb9120f5a3f6ba07eb69d351a97c9084d",
	"title": "Chinese Threat Actor Scarab Targeting Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1512459,
	"plain_text": "Chinese Threat Actor Scarab Targeting Ukraine\r\nBy Tom Hegel\r\nPublished: 2022-03-24 · Archived: 2026-04-05 21:18:22 UTC\r\nExecutive Summary\r\nUkraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is\r\nassociated with the suspected Chinese threat actor known as Scarab.\r\nThe malicious activity represents one of the first public examples of a Chinese threat actor targeting\r\nUkraine since the invasion began.\r\nScarab has conducted a number of campaigns over the years, making use of a custom backdoor originally\r\nknown as Scieron, which may be the predecessor to HeaderTip.\r\nWhile technical specifics vary between campaigns, the actor generally makes use of phishing emails\r\ncontaining lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.\r\nUAC-0026\r\nOn March 22nd 2022, CERT-UA published alert #4244, where they shared a quick summary and indicators\r\nassociated with a recent intrusion attempt from an actor they dubbed UAC-0026. In the alert, CERT-UA noted the\r\ndelivery of a RAR file archive \"Про збереження відеоматеріалів з фіксацією злочинних дій армії\r\nросійської федерації.rar\" , which translates to “On the preservation of video recordings of criminal actions of\r\nthe army of the Russian Federation.rar”. Additionally, they note the archive contains an executable file, which\r\nopens a lure document, and drops the DLL file \"officecleaner.dat\" and a batch file \"officecleaner\" . CERT-UA has named the malicious DLL ‘HeaderTip’ and notes similar activity was recorded in September 2020.\r\nThe UAC-0026 activity is the first public example of a Chinese threat actor targeting Ukraine since the invasion\r\nbegan. While there has been a marked increase in publicly reported attacks against Ukraine over the last week or\r\nso, these and all prior attacks have otherwise originated from Russian-backed threat actors.\r\nRough timeline of recent Ukrainian conflict cyber activity\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 1 of 6\n\nConnection of HeaderTip to Scarab APT\r\nScarab has a relatively long history of activity based on open source intelligence. The group was first identified in\r\n2015, while the associated IOCs are archived on OTX. As noted in the previous research, Scarab has operated\r\nsince at least 2012, targeting a small number of individuals across the world, including Russia, United States, and\r\nothers. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.\r\nDuring our review of the infrastructure and HeaderTip malware samples shared by CERT-UA, we identified\r\nrelations between UAC-0026 and Scarab APT.\r\nWe assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group.\r\nAn initial link can be made through the design of the malware samples and their associated loaders from at least\r\n2020. Further relationships can be identified through the reuse of actor-unique infrastructure between the malware\r\nfamilies associated with the groups:\r\n508d106ea0a71f2fd360fda518e1e533e7e584ed (HeaderTip – 2021)\r\n121ea06f391d6b792b3e697191d69dc500436604 (Scieron 2018)\r\nDynamic.ddns[.]mobi (Reused C2 Server)\r\nAs noted in the 2015 reporting on Scarab, there are various indications the threat actor is Chinese speaking. Based\r\non known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use,\r\nwe assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence\r\ncollection purposes.\r\nLure Documents\r\nAnalysis of lure documents used for initial compromise can provide insight into those being targeted and\r\nparticular characteristics of their creator. For instance, in a September 2020 campaign targeting suspected\r\nPhilippines individuals, Scarab made use of lure documents titled “OSCE-wide Counter-Terrorism Conference\r\n2020”. For context, OSCE is the Organization for Security and Co-operation in Europe.\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 2 of 6\n\nSeptember 2020 Scarab APT Lure Document Content\r\nMore recently, industry colleagues have noted a case in which Scarab was involved in a campaign targeting\r\nEuropean diplomatic organizations during the US withdrawal from Afghanistan.\r\nThe lure document reported by CERT-UA mimics the National Police of Ukraine, themed around the need to\r\npreserve video materials of crimes conducted by the Russian military.\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 3 of 6\n\nUkraine Targeting Lure Document\r\nLure documents through the various campaigns contain metadata indicating the original creator is using the\r\nWindows operating system in a Chinese language setting. This includes the system’s username set as “用户”\r\n(user).\r\nMalware and Infrastructure\r\nMultiple methods have been in use to attempt to load the malware onto the target system. In the case of the 2020\r\ndocuments, the user must enable document Macros. In the most recent version from CERT-UA, the executable\r\nloader controls the install with the help of a batch file while also opening the lure document. The loader\r\nexecutable itself contains the PDF, batch installer, and HeaderTip malware as resource data.\r\nThe batch file follows a simple set of instructions to define the HeaderTip DLL, set persistence under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run , and then execute HeaderTip. Exports called across the\r\nHeaderTip samples have been HttpsInit and OAService , as shown here.\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 4 of 6\n\nofficecleaner.bat File Contents\r\nThe HeaderTip samples are 32-bit DLL files, written in C++, and roughly 9.7 KB. The malware itself will make\r\nHTTP POST requests to the defined C2 server using the user agent: \"Mozilla/5.0 (Windows NT 10.0; WOW64;\r\nTrident/7.0; rv:11.0) like Gecko\" . General functionality of HeaderTip is rather limited to beaconing outbound\r\nfor updates, potentially so it can act as a simple first stage malware waiting for a second stage with more\r\ncapabilities.\r\nScarab has repeatedly made use of dynamic DNS services, which means C2 server IP, and subdomains should not\r\nbe considered related. In fact, some of the dynamic DNS services used by Scarab can easily link one to various\r\nunrelated APT groups, such as the infamous CloudHopper report or 2015 bookworm malware blogs. While those\r\nmay be associated with Chinese APTs, it may indicate more of a standard operating toolkit and approach rather\r\nthan shared technical resources.\r\nConclusion\r\nWe assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group\r\nand represents the first publicly-reported attack on Ukraine from a non-Russian APT. The HeaderTip malware and\r\nassociated phishing campaign utilizing Macro-enabled documents appears to be a first-stage infection attempt. At\r\nthis point in time, the threat actor’s further objectives and motivations remain unclear.\r\nIndicators of Compromise\r\nIOC Description\r\nproduct2020.mrbasic[.]com March 2022 C2 Server\r\n8cfad6d23b79f56fb7535a562a106f6d187f84cf\r\nMarch 2022 Ukraine file delivery archive “Про\r\nзбереження відеоматеріалів з фіксацією злочинних дій\r\nармії російської федерації.rar”\r\ne7ef3b033c34f2ac2772c15ad53aa28599f93a51 March 2022 Loader Executable “officecleaner.dat”\r\nfdb8de6f8d5f8ca6e52ce924a72b5c50ce6e5d6a\r\nMarch 2022 Ukraine lure document “#2163_02_33-\r\n2022.pdf”\r\n4c396041b3c8a8f5dd9db31d0f2051e23802dcd0 March 2022 Ukraine batch file “officecleaner.bat”\r\n3552c184281abcc14e3b941841b698cfb0ec9f1d March 2022 Ukraine HeaderTip sample “httpshelper.dll”\r\nebook.port25[.]biz September 2020 C2 Server\r\nfde012fbcc65f4ab84d5f7d4799942c3f8792cc3\r\nSeptember 2020 file delivery archive “Joining\r\nInstructions IMPC 1.20 .rar”\r\ne30a24e7367c4a82d283c7c68cff5739319aace9\r\nSeptember 2020 lure document “Joining Instructions\r\nIMPC 1.20 .xls”\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 5 of 6\n\n5cc8ce82fc21add608277384dfaa8139efe8bea5 September 2020 HeaderTip samples based on C2 use\r\nmert.my03[.]com September 2020 C2 Server\r\n90c4223887f10f8f9c4ac61f858548d154183d9a\r\nSeptember 2020 file delivery archive “OSCE-wide\r\nCounter-Terrorism Conference 2020.zip”\r\n82f8c69a48fa1fa23ff37a0b0dc23a06a7cb6758\r\nSeptember 2020 lure document “OSCE-wide Counter-Terrorism Conference 2020”\r\nb330cf088ba8c75d297d4b65bdbdd8bee9a8385c September 2020 HeaderTip sample”officecleaner.dll”\r\n83c4a02e2d627b40c6e58bf82197e113603c4f87 HeaderTip (Possible researcher)\r\n508d106ea0a71f2fd360fda518e1e533e7e584ed HeaderTip\r\ndynamic.ddns[.]mobi\r\nC2 Server, overlaps with Scieron\r\n(b5f2cc8e8580a44a6aefc08f9776516a)\r\nSource: https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nhttps://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/"
	],
	"report_names": [
		"chinese-threat-actor-scarab-targeting-ukraine"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99",
			"created_at": "2022-10-25T16:07:23.414558Z",
			"updated_at": "2026-04-10T02:00:04.588816Z",
			"deleted_at": null,
			"main_name": "Bookworm",
			"aliases": [],
			"source_name": "ETDA:Bookworm",
			"tools": [
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Scieron",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"ffrat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775792167,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac00829fb9120f5a3f6ba07eb69d351a97c9084d.pdf",
		"text": "https://archive.orkl.eu/ac00829fb9120f5a3f6ba07eb69d351a97c9084d.txt",
		"img": "https://archive.orkl.eu/ac00829fb9120f5a3f6ba07eb69d351a97c9084d.jpg"
	}
}