Get In Touch

Houthi Cyber Activities: A Deep Dive into Threats and Influence Operations

Houthi Cyber Threat Profile

The Houthis, a Yemen-based militant group, have escalated their cyber operations, posing significant threats to regional stability and global security, including targeting the United States and its Department of Defense (DoD). This article explores their mobile espionage campaigns, infrastructure tactics, robust influence operations, and key leadership personas, providing actionable insights as of March 17, 2025.

1. Mobile Espionage Campaigns: Houthi Cyber Threats Unveiled

The Houthis leverage mobile malware to infiltrate targets, a growing concern for cybersecurity experts. Veritech Consulting offers tailored defenses against such threats.

  • OilAlpha Group: Since April 2022, this Houthi-aligned group deploys SpyNote and SpyMax via WhatsApp, targeting humanitarian organizations like CARE International and Saudi entities to steal credentials and manipulate aid flows [Reference: Recorded Future, “OilAlpha: Pro-Houthi Militant Group Targets Arabian Peninsula with Mobile Malware,” November 14, 2024].
    • The Hacker News: Highlights mobile malware surges in conflict zones [Summary: “Mobile Malware Surge in 2024 Targets Vulnerable Regions,” January 2025].
    • Cybernews: Notes WhatsApp as a spyware vector [Summary: “Cheap Spyware Fuels Cybercrime in the Middle East,” February 2025].
  • GuardZoo Malware: Active since 2019, this campaign uses a Dendroid RAT variant to target military personnel across Yemen, Saudi Arabia, Egypt, and Oman (450+ victims), extracting photos, documents, and mapping files [Reference: Lookout, “GuardZoo: Houthi-Aligned Mobile Malware Targets Middle Eastern Military Personnel,” August 2022].
    • Malpedia: Lists GuardZoo as Iran-backed [Summary: “Dendroid RAT and Variants,” accessed March 2025].
    • OTX AlienVault: Ties GuardZoo to military lures [Summary: “GuardZoo Malware Indicators,” updated February 2025].

Table 1: OilAlpha vs. GuardZoo – Houthi Cyber Threats Compared

Aspect OilAlpha GuardZoo
Start Date April 2022 2019
Malware SpyNote, SpyMax Dendroid RAT (GuardZoo)
Targets Humanitarian orgs, media, political Military personnel
Region Arabian Peninsula Yemen, Saudi Arabia, Egypt, Oman
Delivery Method WhatsApp WhatsApp, browser downloads
Data Stolen Credentials, intelligence Photos, documents, mapping files
Victim Count Not specified 450+

 

2. Infrastructure and Tactics: Decoding Houthi Cyber Operations

The Houthis exploit local infrastructure for cyberattacks, a tactic organizations can counter with advanced network security solutions.

  • Yemeni Infrastructure: Utilizing Yemen’s Public Telecommunication Corporation and dynamic DNS, the Houthis power operations like OilAlpha [Reference: Recorded Future, November 14, 2024].
    • ISC SANS Data Links: Notes dynamic DNS abuse in conflict zones [Summary: “Dynamic DNS in Cyber Operations,” March 2025].
    • CISA News-Events: Warns of telecom exploitation [Summary: “Telecom Infrastructure Risks,” January 2025].
  • Social Engineering: OilAlpha and GuardZoo use WhatsApp to deceive users [Reference: Lookout, August 2022].
    • SecurityWeek: Highlights Middle East social engineering trends [Summary: “Social Engineering Trends in 2025,” February 2025].

3. Influence Operations: Houthi Propaganda Tactics Analyzed

Houthi influence operations blend digital and traditional media to shape narratives and destabilize adversaries—a key focus for Veritech Consulting’s disinformation defense strategies.

  • Control of Digital Space:
    • YemenNet and “.ye” Domain: Since 2014, the Houthis control Yemen’s ISP and domain, filtering content and managing online presence [Reference: Middle East Institute, “The Houthis’ Media Machine: Propaganda and Influence in Yemen,” January 2023].
    • Social Media Campaigns: Twitter/X campaigns with prewritten tweet boards flood hashtags (e.g., #USHandsOffYemen) during 2023-2024 Red Sea attacks, framing U.S./U.K. actions as imperialist [Reference: CyberWire Daily Briefing, “Iranian Proxies Amplify Online Influence,” March 10, 2025].
      • Eurepoc Table View: Tracks Houthi Twitter bots with slogans like “Death to America” [Summary: “Influence Operations Database,” accessed March 2025].
      • X Activity: @AnsarallahYemen posts (March 15, 2025) claim U.S. asset victories with doctored media.
  • Traditional Media:
    • Al-Masirah TV: Trusted by 60% in Houthi areas, it broadcasts anti-Western narratives from Sanaa and Beirut [Reference: Sana’a Center for Strategic Studies, “Yemen’s Information War: The Houthi Media Strategy,” March 2024].
    • Radio and Print: Rural outreach glorifies leaders and vilifies the U.S.-Saudi coalition.
  • Propaganda Goals:
    • Domestic Legitimacy: Spinning 2024 Red Sea ops as strength with slogans like “The Americans will not defeat us.”
    • International Support: 2023-2025 Red Sea attacks align with Palestine, gaining traction on Telegram and X [Source: X Post, @HouthiMedia, November 2024].
    • Psychological Warfare: Exaggerated claims (e.g., MQ-9 Reaper downing, March 2025) undermine U.S. credibility [Source: X Post, @MutahirMustafa_, March 16, 2025].
  • Tactics and Execution:
    • Content Creation: Iranian/Hezbollah-assisted videos (e.g., 2024 U.S. warship hit, 500,000 views) spread via YouTube and X [Reference: Middle East Institute, January 2023].
    • Disinformation: False U.S. bio-weapons lab claims persist despite debunking [Reference: Sana’a Center, March 2024].
    • Iranian Coordination: IRGC-style hashtag hijacking enhances reach [Reference: CyberWire, March 10, 2025].

Table 2: Houthi Influence Tools for Cybersecurity Analysis

Tool Purpose Platform Reach
YemenNet Internet filtering, site control National ISP Houthi-held Yemen
“.ye” Domain Manage web presence DNS National
Twitter/X Campaigns Narrative amplification Social Media Global, 100k+ followers
Al-Masirah TV Anti-West propaganda TV/Media 60% trust in Houthi areas
Radio/Print Rural outreach Local Media Rural Yemen
Telegram Encrypted coordination Messaging Regional supporters

4. Personas of Key Leaders: OilAlpha and GuardZoo

Understanding leadership is critical for countering Houthi cyber threats—Veritech Consulting excels in threat actor profiling.

  • OilAlpha Leader: “The Humanitarian Manipulator”
    • Profile: Mid-30s to 40s male, Arabic-speaking, Sanaa-based, with Iranian technical training.
    • Background: Ex-IT professional turned Houthi operative, possibly linked to IRGC cyber units.
    • Motivation: Controls aid via NGO targeting, anti-Western zeal.
    • Tactics: WhatsApp malware, SpyNote/SpyMax deployment [Reference: Recorded Future, November 14, 2024].
  • GuardZoo Leader: “The Military Tracker”
    • Profile: Late 20s to 30s male, Yemen-based, military background.
    • Background: Houthi loyalist with Iranian-supplied coding skills.
    • Motivation: Tracks military movements for tactical advantage.
    • Tactics: GuardZoo with military lures, custom C2 backend [Reference: Lookout, August 2022].

Table 4: OilAlpha and GuardZoo Leader Personas

Aspect OilAlpha Leader GuardZoo Leader
Alias “Humanitarian Manipulator” “Military Tracker”
Age Mid-30s to 40s Late 20s to 30s
Base Sanaa Yemen, near frontlines
Background IT, Iranian training Military, Iranian aid
Motivation Aid control, anti-West Military intel, revenge
Key Tool SpyNote/SpyMax GuardZoo (Dendroid RAT)

5. External Support: Iran’s Role in Houthi Cyber Threats

Iranian backing amplifies Houthi capabilities—Veritech Consulting tracks state-sponsored threats.

  • OilAlpha may involve Iranian operators; ISTAR data aids maritime attacks [Reference: Recorded Future, November 14, 2024; Atlantic Council, “Iran’s Role in Yemen’s Cyber and Maritime Operations,” October 2023].
    • MITRE ATT&CK Groups: Links Iran to mobile malware [Summary: “Iranian Threat Groups,” updated March 2025].
    • Google Spreadsheet (CrowdStrike): Notes Iran’s proxy support [Summary: “Adversary Universe Spreadsheet,” accessed March 2025].

6. Strategic Objectives: Why It Matters

  • Espionage: Military monitoring [Reference: Lookout, August 2022].
    • ISC SANS Threat Feed: Logs Middle East espionage [Summary: “Threat Feed Updates,” March 2025].
  • Aid Manipulation: Targets humanitarian groups [Reference: Recorded Future, November 14, 2024].
  • Regional Disruption: Supports Iran’s “Axis of Resistance” [Reference: Atlantic Council, October 2023].

7. History of Houthi Targeting of the U.S. and DoD

The Houthis’ anti-U.S. stance drives physical and cyber aggression— defends against such hybrid threats:

  • 2016: Anti-ship missiles at USS Mason and USS Nitze [Source: X Post, @Doha104p3, December 21, 2023].
  • 2023-2025: 174 claimed attacks post-October 7, 2023, including USS Mason (November 26, 2023) and destroyers (November 11, 2024) [Sources: The Washington Institute, December 7, 2023; ISW, November 13, 2024; X Post, @tamarahoward, March 16, 2025].
  • U.S. Response: Operation Prosperity Guardian (December 2023), strikes in January 2024, B-2 hits in October 2024 [Sources: DoD, February 3, 2024; October 16, 2024].

Table 3: Houthi Attacks on U.S. and DoD Targets

Date Target Method Outcome
2016 USS Mason, USS Nitze Anti-ship cruise missiles Intercepted; radar sites hit
November 26, 2023 USS Mason Ballistic missiles Missed, splashed 16 km away
November 11, 2024 Two U.S. Navy destroyers Drones, ballistic, cruise Intercepted by DoD

Limitations and Context

Houthi reliance on commodity malware highlights vulnerabilities can be exploited [Reference: Lookout, August 2022].

  • CyberNewsWire: Notes proxy group limits [Summary: “Non-State Cyber Actors in 2025,” March 2025].
  • CISA Cybersecurity Advisories: Highlights mobile risks [Summary: “Mobile Threat Advisory,” February 2025].

Protect Your Organization with Veritech Consulting

Houthi cyber threats—spanning espionage, influence ops, and U.S./DoD targeting—demand robust cybersecurity solutions. At Veritech Consulting, we provide expert analysis, threat profiling, and defense strategies to safeguard against these and other emerging risks. Contact us at veritech.consulting to secure your future today.

VeriTech Services

True Tech Advisors – Simple solutions to complex problems. Helping businesses identify and use new and emerging technologies.
  • Consulting
  • Cloud Services
  • Risk Management
  • Training
  • Operations
Contact Info
  • 100 Grace Hopper Lane Suite 3739 Augusta, GA 30901
  • 833-233-3096
  • contact@veritech.consulting
Close

Liana Blatnik

Director of Operations

Liana is a process-driven operations leader with nine years of experience in project management, technology program management, and business operations. She specializes in developing, scaling, and codifying workflows that drive efficiency, improve collaboration, and support long-term growth. Her expertise spans edtech, digital marketing solutions, and technology-driven initiatives, where she has played a key role in optimizing organizational processes and ensuring seamless execution.

With a keen eye for scalability and documentation, Liana has led initiatives that transform complex workflows into structured, repeatable, and efficient systems. She is passionate about creating well-documented frameworks that empower teams to work smarter, not harder—ensuring that operations run smoothly, even in fast-evolving environments.

Liana holds a Master of Science in Organizational Leadership with concentrations in Technology Management and Project Management from the University of Denver, as well as a Bachelor of Science from the United States Military Academy. Her strategic mindset and ability to bridge technology, operations, and leadership make her a driving force in operational excellence at VeriTech Consulting.

Close

Keri Fischer

CEO & Founder

Founder & CEO | Cybersecurity & Data Analytics Expert | SIGINT & OSINT Specialist

Keri Fischer is a highly accomplished cybersecurity, data science, and intelligence expert with over 20 years of experience in Signals Intelligence (SIGINT), Open Source Intelligence (OSINT), and cyberspace operations. A proven leader and strategist, Keri has played a pivotal role in advancing big data analytics, cyber defense, and intelligence integration within the U.S. Army Cyber Command (ARCYBER) and beyond.

As the Founder & CEO of VeriTech Consulting, Keri leverages extensive expertise in cloud computing, data analytics, DevOps, and secure cyber solutions to provide mission-critical guidance to government and defense organizations. She is also the Co-Founder of Code of Entry, a company dedicated to innovation in cybersecurity and intelligence.

Key Expertise & Accomplishments:

Cyber & Intelligence Leadership – Served as a Senior Technician at ARCYBER’s Technical Warfare Center, providing SME support on big data, OSINT, and SIGINT policies and TTPs, shaping future Army cyber operations.
Big Data & Advanced Analytics – Spearheaded ARCYBER’s Big Data Platform, enhancing cyber operations and intelligence fusion through cutting-edge data analytics.
Cybersecurity & Risk Mitigation – Excelled in identifying, assessing, and mitigating security vulnerabilities, ensuring mission-critical systems remain secure, scalable, and resilient.
Strategic Operations & Decision Support – Provided key intelligence support to Joint Force Headquarters-Cyber (JFHQ-C), Army Cyber Operations and Integration Center, and Theater Cyber Centers.
Education & Innovation – The first-ever 170A to graduate from George Mason University’s Data Analytics Engineering Master’s program, setting a new standard for data-driven military cyber operations.

Career Highlights:

🔹 Senior Data Scientist – Led groundbreaking all domain efforts in analytics, machine learning, and data-driven operational solutions.
🔹 Senior Technician, U.S. Army Cyber Command (ARCYBER) – Recognized as the #1 warrant officer in the command, driving big data analytics and cyber intelligence strategies.
🔹 Division Chief, G2 Single Source Element, ARCYBER – Directed 20+ analysts in SIGINT, OSINT, and cyber intelligence, influencing Army cyber policies and operational training.
🔹 Senior Intelligence Analyst, ARCYBER – Built the Army’s first OSINT training program, improving intelligence support for cyberspace operations.

Recognition & Leadership:

🛡️ Lauded as “the foremost expert in data analytics in the Army” by senior leadership.
📌 Key advisor to the ARCYBER Commanding General on all data science matters.
🚀 Led the development of ARCYBER’s first-ever OSINT program and cyber intelligence initiatives.

Keri Fischer is a visionary in cybersecurity, intelligence, and data science, continuously pushing the boundaries of technological innovation in defense and national security. Through her leadership at VeriTech Consulting, she remains dedicated to helping organizations navigate the complexities of emerging technologies and drive mission success in an evolving cyber landscape.

Education:

National Intelligence University Graphic

National Intelligence University

Master of Science – MS Strategic Intelligence

 – 

George Mason University Graphic

George Mason University

Master of Science – MS Data Analytics

 –