{
	"id": "71f01992-1aa6-4c0a-8766-9d2ebc96eedd",
	"created_at": "2026-04-06T00:09:43.772351Z",
	"updated_at": "2026-04-10T13:12:08.200222Z",
	"deleted_at": null,
	"sha1_hash": "c406cf060408a4ca22040c5780c6f48e77be63e3",
	"title": "OilAlpha: Learn How Zimperium MTD Protects Against This New Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35154,
	"plain_text": "OilAlpha: Learn How Zimperium MTD Protects Against This New\r\nThreat\r\nBy Nicolás Chiaraviglio\r\nPublished: 2023-05-18 · Archived: 2026-04-05 16:08:28 UTC\r\nAt Zimperium, we’re always on the lookout for emerging threats that could potentially harm our customers. One\r\nsuch threat, recently identified by Recorded Future, is the OilAlpha group. This group has been linked to pro-Houthi threat actors and has been actively targeting entities across the Arabian Peninsula since May 2022.\r\nThe OilAlpha group primarily targets entities in the non-governmental, media, international humanitarian, and\r\ndevelopment sectors. Their modus operandi includes launching social engineering attacks via encrypted chat\r\nmessengers like WhatsApp, using URL link shorteners, and deploying malicious Android applications. They have\r\nbeen seen targeting individuals who share an interest in Yemen’s political and security developments, particularly\r\nthose involved in humanitarian aid and reconstruction efforts.\r\nThe group uses a variety of malware to carry out their attacks, including SpyNote, SpyMax, and njRAT. These\r\nSpyware tools have a wide range of capabilities:\r\nSpyNote and SpyMax are feature-rich spyware capable of installing arbitrary apps, gathering SMS messages,\r\ncalls, videos and audio recordings, tracking GPS locations, and hindering efforts to uninstall the malicious app.\r\nnjRAT, on the other hand, is capable of performing surveillance or even taking control of the infected system. Its\r\ncapabilities include logging keystrokes, capturing screenshots, password stealing, exfiltrating data, accessing web\r\ncameras and microphones, and downloading additional files.\r\nWhile these threats are significant, we want to reassure our customers that Zimperium is prepared and vigilant.\r\nOur on-device dynamic detection engine can detect all samples reported in Recorded Future’s blog with zero day\r\ncoverage, without requiring any update and relying 100% in the machine learning component of the engine.\r\nMoreover, our web content filtering can correctly identify 94% of all reported URLs (that belong to a cluster of\r\ndynamic DNS servers used as C2 servers) used for the attack, rendering it completely ineffective.\r\nWe believe in proactively protecting our customers from all kinds of threats. Our continuous monitoring and threat\r\nintelligence capabilities allow us to respond promptly to new threats, while our robust security infrastructure\r\nprovides a strong defense against established ones.\r\nThe safety of our customers is our top priority, and we are committed to keeping you safe from the OilAlpha\r\ngroup and other similar threats.\r\nFor more information on how Zimperium’s customers are protected, visit https://www.zimperium.com/mtd/ or\r\ncontact us today.\r\nhttps://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/\r\nPage 1 of 2\n\nSource: https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/\r\nhttps://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/"
	],
	"report_names": [
		"zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy"
	],
	"threat_actors": [
		{
			"id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7",
			"created_at": "2023-06-23T02:04:34.425347Z",
			"updated_at": "2026-04-10T02:00:04.787571Z",
			"deleted_at": null,
			"main_name": "OilAlpha",
			"aliases": [
				"TAG-41",
				"TAG-62"
			],
			"source_name": "ETDA:OilAlpha",
			"tools": [
				"Bladabindi",
				"CypherRat",
				"Jorik",
				"SpyMax",
				"SpyNote",
				"SpyNote RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0",
			"created_at": "2023-11-07T02:00:07.10244Z",
			"updated_at": "2026-04-10T02:00:03.408827Z",
			"deleted_at": null,
			"main_name": "OilAlpha",
			"aliases": [],
			"source_name": "MISPGALAXY:OilAlpha",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434183,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c406cf060408a4ca22040c5780c6f48e77be63e3.pdf",
		"text": "https://archive.orkl.eu/c406cf060408a4ca22040c5780c6f48e77be63e3.txt",
		"img": "https://archive.orkl.eu/c406cf060408a4ca22040c5780c6f48e77be63e3.jpg"
	}
}