A hacking campaign attributed to Houthi-aligned threat actors has been actively targeting military personnel across the Middle East with a novel spyware strain named GuardZoo since October 2019.

The surveillance operation came to light when security firm Lookout uncovered a GuardZoo command-andcontrol (C2) server exposed online.

GuardZoo's name is derived from a piece of source code that enables persistence on the device, with other components named using animal-related themes such as AnimalCoop and MainZoo. The malware is based on Dendroid RAT, a commodity spyware that has been in use for at least a decade.

GuardZoo is designed to collect a wide array of data from infected Android devices, including photos, documents, coordinate data files related to marked locations, routes, and tracks, as well as the device’s location, model, cellular service carrier, and Wi-Fi configuration. The spyware can also download and install additional applications on the infected device, potentially introducing new invasive capabilities.

Upon infecting a device, GuardZoo connects to the command-and-control server and typically sends four commands to every new victim, including deactivating local logging and uploading metadata for all files. This enables the attackers to maintain a high level of surveillance and control over the compromised devices.

The campaign has targeted militaries in seven Middle Eastern countries, including Saudi Arabia, Oman, Egypt, Yemen, the UAE, Qatar, and Turkey.

Lookout's analysis revealed more than 450 IP addresses belonging to victims, primarily located in these nations. The attackers have been distributing GuardZoo via WhatsApp, WhatsApp Business, and direct browser downloads. In some cases, victims were lured by content featuring religious-themed prayer apps or e-book themes.

Lookout has attributed the observed activity to a Yemeni Houthi-aligned group, based on the application lures, exfiltrated data, targeting, and the location of the command-and-control infrastructure.

In a separate report, Recorded Future’s Insikt Group detailed cyber operations of another pro-Houthi group hacker group, OilAlpha, which targets humanitarian and human rights organizations, including CARE International and the Norwegian Refugee Council, operating in Yemen with malicious Android apps. These apps are designed to steal credentials and collect intelligence, potentially to control aid distribution.