⚠️ Overview

HeaderTip is a backdoor trojan first identified by Proofpoint researchers in November 2022, attributed to the Iranian threat actor TA453 (also tracked as Charming Kitten or APT42). It operates as a PowerShell-based implant used primarily for intelligence gathering against academic, government, and media targets in the Middle East and North Africa.

🔧 Technical Capabilities

HeaderTip uses spear-phishing emails containing a benign Microsoft Word document that downloads a decoy PDF while silently executing a malicious macro. The macro drops a PowerShell downloader that contacts a legitimate cloud service (e.g., Dropbox, OneDrive) to retrieve a second-stage payload embedded in HTTP response headers. The C2 infrastructure abuses legitimate cloud storage APIs, making traffic blend with normal business operations. Persistence is achieved via a scheduled task that runs the PowerShell script at system startup. Evasion techniques include obfuscation of PowerShell commands, use of base64-encoded strings, and checking for sandbox environments by verifying system uptime and disk size. It lacks traditional DLL or EXE file persistence, relying entirely on memory-resident PowerShell execution.

📜 History & Notable Incidents

First documented by Proofpoint in November 2022, HeaderTip was used in a campaign targeting a Middle Eastern journalist and a U.S.-based academic researcher specializing in Iran policy. A second campaign in March 2023 targeted an Israeli research institute and a U.S. think tank. No CVEs are directly associated with HeaderTip, as it exploits macro execution in Office documents, a technique mitigated by default macro-blocking in newer Office versions. Law enforcement has not publicly attributed or pursued actions specifically against HeaderTip operators.

🔍 Detection Indicators

Known network IOCs include HTTP requests to Dropbox and OneDrive APIs with User-Agent strings mimicking Chrome on Windows 10 (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36). Behavioral signatures include PowerShell executing encoded commands from registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and scheduled tasks named after legitimate services (e.g., "WindowsUpdate"). No specific file hashes are publicly attributed to HeaderTip due to its memory-resident nature; however, lure document hashes are available in Proofpoint's blog.

☠️ Risk & Impact

HeaderTip enables persistent remote access for credential theft, document exfiltration, and keylogging. The primary impact is intellectual property theft and operational intelligence gathering against targeted individuals. Affected sectors include academia, journalism, and government policy research, primarily in the Middle East. Financial losses are not publicly documented, but the threat to privacy and national security is significant.

🛡️ Mitigation

Defenders should enforce macro-blocking via Group Policy or Attack Surface Reduction rules, disable PowerShell script execution for non-admin users, and deploy EDR solutions that detect suspicious PowerShell activity. Proofpoint recommends monitoring for HTTP requests to cloud storage APIs with encoded parameters and using email security gateways to block phishing lures. MITRE ATT&CK IDs include T1059.001 (PowerShell) and T1027 (Obfuscated Files or Information).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.