A surveillanceware campaign is targeting and collecting data from military personnel from Middle Eastern countries, researchers from cybersecurity company Lookout announced July 9.

Lookout’s threat intelligence team discovered the spyware in 2022 during a threat-hunting exercise, Alemdar Islamoglu, senior researcher at Lookout, said in an interview. The campaign started around October 2019 and is still active today, according to a blog published by Lookout.

The surveillanceware campaign has been attributed to a Yemeni, Houthi-aligned actor, the Lookout blog stated. The campaign’s victims are primarily located in Yemen, Saudi Arabia, Egypt, Oman, the United Arab Emirates, Qatar and Turkey.

“In our observation, we think this is a very hands-on campaign, very targeted,” Islamoglu said.

The malware — called GuardZoo — used in the campaign can exfiltrate files from the device it is downloaded on, with a focus on photos and mapping apps with GPS locations or coordinates that may be related to tactical military operations. In addition, it can gather private details from the device like its location, model and WiFi configuration, Islamoglu said. Once on a device, it can extend its capabilities by downloading more binaries or apps and running them on the device as well.

Christoph Hebeisen, director of security intelligence research at Lookout, said that once the company began to track the threat and report on it, Lookout’s customers received the information, but the company has not directly been in touch with any of the countries or personnel targeted. It is unlikely that U.S. military personnel have been targeted by the campaign, he added.

“There's one big asterisk there that we have to add to that, and that is we might not have seen every single app that they have created,” Hebeisen said. “There might be ones that have different targeting now, and that's a difference for us between knowing the app and being able to detect it. We can detect it based on the content, but whatever skin they put on it to make it a good lure to their targets, we might not have seen all of those.”

Hebeisen said that this campaign “really underscores how mobile is a target, and it's an important target in conflicts everywhere in the world,” highlighting “the importance to protect mobile devices and to protect data wherever it is.”

It’s important “to keep in mind that data, really on any device, on any connected device in the world, will need some level of protection,” Hebeisen said. “As long as there's an adversary that wants to get at it, you need to protect it.”