Skip Navigation
BlackBerry Blog

HeaderTip Backdoor: Watch BlackBerry Defeat It (Video)

Threat actors often take advantage of political turmoil. And this year, exploiting the invasion of Ukraine by playing on human emotions has become a primary theme. One example was documented by the Computer Emergency Response Team of Ukraine (CERT-UA), when it reported its findings on HeaderTip, a backdoor targeting Ukrainian infrastructure.

HeaderTip is believed to be tied to an APT group named Scarab, which has been linked to China. The threat group previously targeted the U.S. and Russia, but HeaderTip is Scarab’s first known attack targeting Ukraine after the Russian invasion. This backdoor is one of the first examples of attackers linked to China taking advantage of the war in Ukraine.

From a social engineering point of view, HeaderTip attacks take a similar approach to other malware such as SunSeed, utilizing the Ukraine invasion to manipulate individuals into falling for phishing attacks.

HeaderTip Backdoor Attack Chain

In this backdoor attack, a threat actor will send out a phishing email that contains a file, which claims to be from the National Police of Ukraine. A message in the file describes the need to preserve video evidence of crimes committed by the Russian military. When the EXE file is launched, HeaderTip covertly loads in the background.

This attack strategy feeds on the desire to discover and preserve information about the war, which can feel crucial to Ukrainian residents, those who have been forced to flee, and people in neighboring countries. Threat actors such as Scarab show no compunction about weaponizing this hostile situation.

BlackBerry Prevents HeaderTip Attacks

Watch our demo video below to learn more about HeaderTip attacks, and to see how BlackBerry prevents them using our AI-powered endpoint protection solution, CylancePROTECT®.

DEMO VIDEO: BlackBerry vs. HeaderTip Backdoor

Learn more about HeaderTip in our deep-dive blog, HeaderTip Backdoor Shows Attackers From China Preying on Ukraine

Figure 1 – Six versions of HeaderTip backdoor are pitted against CylancePROTECT.
Figure 2 – CylancePROTECT prevents all six versions of HeaderTip from accessing the target system, stopping each attack before it occurs.

BlackBerry Protects Against Malware Attacks

CylancePROTECT provides automated malware prevention, application and script control, memory protection, and device policy enforcement. This AI-based Endpoint Protection Platform (EPP) blocks cyberattacks and provides controls for safeguarding against sophisticated threats—no human intervention, internet connections, signature files, heuristics, or sandboxes required.

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at, or use our hand-raiser form.

Video Transcript

In this quick video, we are going to assess the temporal predictive advantage (TPA) that BlackBerry has against HeaderTip, a backdoor apparently tied to an APT group called Scarab which has been linked to China, which is actively exploiting the current situation in Ukraine. 

To conduct this test, we have prepared a system with a CylancePROTECT machine-learning engine from October 2015 with no internet connectivity or operating system updates since 2016.

We have collected six HeaderTip samples. Let’s copy them to our test system. We can see how our machine learning models are able to predict and prevent these threats in milliseconds, blocking them before they execute.

Prevention is possible, with BlackBerry.


Hector Diaz

About Hector Diaz

 Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Kalila Papanikolas

About Kalila Papanikolas

Kalila Papanikolas is an Editorial Intern at BlackBerry.