Houthi-Aligned APT Targets Mideast Militaries With GuardZoo Spyware

Simple malware and simple TTPs play against a backdrop of complex geopolitical conflict in the Arab world.

A threat actor which may be aligned with Houthi rebels in Yemen has been spying on military targets throughout the Middle East for half a decade now.
Their weapon of war: a custom Android surveillanceware called GuardZoo. GuardZoo seems to have been used to steal potentially valuable intelligence relating to the actors military enemies, including official documents, photos, and data relating to troop locations and movements.
GuardZoo attacks begin with
malicious links distributed on WhatsApp
and WhatsApp Business.
The links lead to fake apps hosted outside of the Google Play store. Some pertain to generic themes — like The Holy Quran, and Locate Your Phone — but most are military-oriented — Art of War, Constitution of the Armed Forces, and those relating to specific organizations like the Yemen Armed Forces, and the Saudi Armed Forces Command and Staff College.
These various apps all deliver the GuardZoo malware.
GuardZoo is essentially the leaked
Dendroid RAT
with some of the fat removed, and retrofitted with dozens of commands fitting its proprietors spying needs. That may partly explain why the campaign, which dates back to October 2019, is only now coming to light. If somebody uses the same tooling as as many other actors, then they can fly [under the radar] simply because they dont stick out, explains Christoph Hebeisen, Lookout director of security intelligence research.
Upon infection, GuardZoos first actions always involve disabling local logging, and exfiltrating all the victims files in the past seven years that match KMZ, WPT (waypoint), RTE (route), and TRK (track) file extensions. Notably, these extensions all relate to
GPS and mapping apps
.
The malware can also facilitate the download of further malware, read information about the victims machine — like its model, cell service provider, and connection speed — and more.
To Hebeisen, One thing that strongly indicates to us that its military targeting [is] the hardcoded file extensions that are very mapping-related. That targeting, to me, indicates — given that they are involved in a military conflict — that they are likely looking for tactical information from the enemy.
The majority of the 450 affected IP addresses observed by Lookout were concentrated in Yemen, though they spanned Saudi Arabia, Egypt, the United Arab Emirates, Turkey, Qatar, and Oman as well.
The Houthi connection, specifically, is strengthened by the location of the malwares command-and-control (C2) server. It uses dynamic IP addresses, but with a telco provider that operates in a Houthi-controlled area. Its a physical server — we got the serial number, and could actually trace it — and you likely wouldnt want to place a physical server in enemy territory, Hebeisen reasons.
Relative to the significance of its targets, actually defending against this campaign is quite simple. In a
press release
, Lookout emphasized the need for Android users to avoid apps hosted outside of Google Play, always keep their apps up to date, and be wary of excess permissions.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Houthi-Aligned APT Targets Mideast Militaries With GuardZoo Spyware