Home / Threat Intelligence bulletins / OilAlpha group targeting Arabian Android users

Target Industry

Developmental, humanitarian and media organisations.


The groups TAG-41 and TAG-62 (also known as OilAlpha) have been observed targeting Arabian based Android users via social engineering and the remote access trojans “NJRAT” and “SpyNote”. The attacks are believed to be part of a cyber espionage campaign against various targets, such as humanitarian and media-based organisations.


Successful exploitation by OilAlpha could lead to exfiltration of sensitive operational information of humanitarian workers and journalists. This could be used to execute armed assaults on individuals involved with the targeted organisations with potential for loss of life.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats like NJRAT and SpyNote. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.

Affected Products

Android OS.

Containment, Mitigations & Remediations

To help prevent the initial access attempts through social engineering, effective and regular training for all staff to identify malicious messages is recommend where possible.

All devices should be kept up to date as these patches will include the most recent security features to help prevent exploitation from known vulnerabilities.

As previously mentioned, the implementation of an EDR solution will help mitigate and contain threats in real time in order to prevent or limit the damage that attacks can have on the organisation.

Indicators of Compromise

“SpyNote” associated files (SHA256):

  • e08da72431a91099ef721333af8f2a4c
  • 788008b98d8bff8f880b888c29ddddfa7b02e1a49243caf97ee3af8d3646e890
  • c3ee6bc6f4e23981757b452c7b0236048a48b9c875f4d5e25266f8262fe208c5
  • a51334ad82fbdbd4e2f1483b57eccf42
  • d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369

Threat Landscape

Due to the increased popularity of smartphone usage and particularly those using the open source operating system Android, they have become a prime target for attacks as many individuals will store large amounts of personal information on them which can be exploited.

As Android usage in the Arabian Peninsula is so extensive it has become a natural target for attackers in the location such as the OilAlpha group. These attacks are part of a global increase in politically motivated attacks on organisations for monetary or reputational gain for state sponsored or militant groups.

Mitre Methodologies

Initial Access

T1566 – Phishing

T1091 – Replication Through Removable Media


T1106 – Native API

T1059.001 – Command and Scripting Interpreter: PowerShell

T1059.003 – Command and Scripting Interpreter: Windows Command Shell


T1624.001 – Event Triggered Execution: Broadcast Receivers

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Defence Evasion

T1562.004 – Impair Defenses: Disable or Modify System Firewall

T1070.004 – Indicator Removal: File Deletion

T1070.009 – Indicator Removal: Clear Persistence

T1112 – Modify Registry

T1027 – Obfuscated Files or Information

T1027.004 – Compile After Delivery

Credential Access

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers

T1056.001 – Input Capture: Keylogging


T1010 – Application Window Discovery

T1083 – File and Directory Discovery

T1120 – Peripheral Device Discovery

T1057 – Process Discovery

T1012 – Query Registry

T1018 – Remote System Discovery

T1082 – System Information Discovery

T1033 – System Owner/User Discovery

T1430 – Location Tracking

Lateral Movement

T1021.001 – Remote Services: Remote Desktop Protocol


T1005 – Data from Local System

T1113 – Screen Capture

T1125 – Video Capture

T1429 – Audio Capture

T1636.003 – Protected User Data: Contact List

T1636.004 – Protected User Data: SMS Messages

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

T1571 – Non-Standard Port

T1105 – Ingress Tool Transfer

T1132.001 – Data Encoding: Standard Encoding

T1568.001 – Dynamic Resolution: Fast Flux DNS


T1041 – Exfiltration Over C2 Channel

Further Information

OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users



Intelligence Terminology Yardstick