{
	"id": "c53eccb9-4863-4d20-9fe6-eae4640e7e61",
	"created_at": "2026-04-06T00:14:16.304204Z",
	"updated_at": "2026-04-10T13:12:05.854947Z",
	"deleted_at": null,
	"sha1_hash": "dcee39325121932e15a3cea91f43f32a4d83831f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41665,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:39:25 UTC\r\n APT group: OilAlpha\r\nNames\r\nOilAlpha (Recorded Future)\r\nTAG-41 (Recorded Future)\r\nTAG-62 (Recorded Future)\r\nCountry Yemen\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(Recorded Future) Since May 2022, Insikt Group has tracked an ongoing campaign by a threat\r\ngroup which is highly likely to have targeted entities associated with the non-governmental,\r\nmedia, international humanitarian, and development sectors. It is almost certain that the\r\nentities targeted shared an interest in Yemen, security, humanitarian aid, and reconstruction\r\nmatters. It is highly likely that OilAlpha threat actors were involved in espionage activity, as\r\nhandheld devices were targeted with remote access tools (RATs) like SpyNote and SpyMax.\r\nOur assessment of the victimology suggests that the majority of the targeted entities were\r\nArabic-language speakers and operated Android devices.\r\nObserved\r\nTools used njRAT, SpyMax, SpyNote RAT.\r\nInformation \u003chttps://go.recordedfuture.com/hubfs/reports/cta-2023-0516.pdf\u003e\r\nLast change to this card: 21 June 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=425b11e0-adbb-4d6f-a5e0-169df11b15bf\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=425b11e0-adbb-4d6f-a5e0-169df11b15bf\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=425b11e0-adbb-4d6f-a5e0-169df11b15bf"
	],
	"report_names": [
		"showcard.cgi?u=425b11e0-adbb-4d6f-a5e0-169df11b15bf"
	],
	"threat_actors": [
		{
			"id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7",
			"created_at": "2023-06-23T02:04:34.425347Z",
			"updated_at": "2026-04-10T02:00:04.787571Z",
			"deleted_at": null,
			"main_name": "OilAlpha",
			"aliases": [
				"TAG-41",
				"TAG-62"
			],
			"source_name": "ETDA:OilAlpha",
			"tools": [
				"Bladabindi",
				"CypherRat",
				"Jorik",
				"SpyMax",
				"SpyNote",
				"SpyNote RAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0",
			"created_at": "2023-11-07T02:00:07.10244Z",
			"updated_at": "2026-04-10T02:00:03.408827Z",
			"deleted_at": null,
			"main_name": "OilAlpha",
			"aliases": [],
			"source_name": "MISPGALAXY:OilAlpha",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcee39325121932e15a3cea91f43f32a4d83831f.pdf",
		"text": "https://archive.orkl.eu/dcee39325121932e15a3cea91f43f32a4d83831f.txt",
		"img": "https://archive.orkl.eu/dcee39325121932e15a3cea91f43f32a4d83831f.jpg"
	}
}