OilAlpha

OilAlpha, a cyber threat group believed to be associated with Yemen's Houthi movement, has been engaged in a cyber espionage campaign since May 2022. The group primarily targets development, humanitarian, media, and non-governmental organizations operating in the Arabian Peninsula. Using encrypted chat messengers like WhatsApp, OilAlpha launches social engineering attacks to steal victim data and credentials. The group is known for its use of malicious applications disguised as legitimate entities, including a suspicious Android file named "Cash Incentives.apk" discovered in June 2024. Infrastructure used by OilAlpha has been traced back to the Public Telecommunication Corporation (PTC), a Yemeni government-owned entity under the control of Houthi-aligned officials. The group's operations have included targeting individuals attending Saudi Arabian government-led negotiations and using spoofed Android applications mimicking entities tied to the Saudi Arabian government and a UAE humanitarian organization, among others. This suggests an ongoing effort by OilAlpha to control the distribution of humanitarian aid in Yemen. Furthermore, OilAlpha operates a credential theft portal hosted on the domain kssnew[.]online, indicating a more extensive cyber espionage network. While the potential for OilAlpha to manipulate or destroy data could lead to operational disruption, the more likely scenario is personal identifiable information (PII) theft, which could result in legal or compliance failures for targeted organizations. Speculatively, this access to data may be part of a broader strategy by the OilAlpha group to win local support amid ongoing civil war conditions by improving public services.