GuardZoo¶
GuardZoo is an Android surveillanceware operated by a Houthi-aligned threat actor, targeting military personnel across the Middle East since October 2019. Lookout disclosed the campaign in July 2024, identifying over 450 unique victim IP addresses primarily in Yemen, Saudi Arabia, Egypt, Oman, the UAE, Qatar, and Turkey. GuardZoo is built on Dendroid RAT, an open-source Android RAT whose source code was leaked publicly in 2014. The operators heavily modified Dendroid's codebase, adding over 60 new commands, replacing the original PHP web panel with a custom ASP.NET backend, and tailoring the collection priorities toward military intelligence: the malware automatically uploads all KMZ, WPT, RTE, and TRK files (map data, waypoints, routes, tracks) from the device without requiring a specific command.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | October 2019 |
| Last Seen | Active as of July 2024 |
| Status | Active |
| Type | Surveillanceware, military espionage |
| Attribution | Houthi-aligned Yemeni threat actor |
| Distribution | WhatsApp, WhatsApp Business, direct browser download |
Origin and Lineage¶
GuardZoo descends directly from Dendroid RAT, a commodity Android RAT that was leaked online in 2014. Dendroid offered basic remote access capabilities and was widely used by low-sophistication actors due to its open-source availability. GuardZoo's operators took the Dendroid codebase and performed extensive modifications: unused functions were stripped out, new surveillance commands were added (expanding the command set to over 60), and the entire C2 backend was rebuilt.
The most significant infrastructure change was replacing Dendroid's original PHP web panel with a custom C2 built on ASP.NET, served through IIS 10. Despite this rebuild, the C2 URLs retain ".php" extensions in their paths, a remnant of the Dendroid heritage. Communication between the implant and C2 occurs over HTTPS, though the request body data is transmitted in cleartext.
Lookout had been tracking Dendroid RAT since before 2022, which led to the identification of GuardZoo as a distinct fork with purpose-built military intelligence collection capabilities.
Distribution¶
GuardZoo spreads primarily through WhatsApp and WhatsApp Business, with secondary distribution via direct browser downloads. The lure apps use military and religious themes designed to appeal to armed forces personnel in the target region.
| Vector | Details |
|---|---|
| WhatsApp / WhatsApp Business | Primary distribution channel; APKs shared in chats and groups |
| Direct browser download | Secondary vector; victims directed to download pages |
| Military-themed lures | Apps named "Constitution of the Armed Forces," "Limited, Commander and Staff," "Restructuring of the New Armed Forces" |
| Religious-themed lures | Prayer and Islamic content apps used as secondary themes |
| E-book lures | Apps disguised as military reference e-books |
Attack Flow¶
- Target receives a WhatsApp message containing or linking to a military-themed app (training manuals, armed forces reference materials, or religious content)
- Target downloads and installs the APK
- GuardZoo connects to the C2 server and registers the device
- By default, the malware immediately begins uploading all KMZ, WPT, RTE, and TRK files created since June 24, 2017
- The operator issues additional commands from the 60+ command set for targeted data collection
- The operator can deploy additional malware to the device through GuardZoo's download capability
The WhatsApp distribution is particularly effective in the target environment. Military personnel in the region commonly share documents and apps through WhatsApp groups, making a military-themed app shared by a colleague or in a unit group chat a highly credible lure.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Map/GPS file collection | Automatically uploads KMZ, WPT, RTE, TRK files (waypoints, routes, tracks, map overlays) created since June 2017 |
| Photo exfiltration | Collects photos from the device |
| Document theft | Extracts documents and files from storage |
| Location tracking | Captures device GPS coordinates |
| Device profiling | Reports device model, cellular carrier, Wi-Fi configuration |
| Additional malware deployment | Can download and install further payloads on the compromised device |
| Over 60 C2 commands | Extensive remote control via custom command set |
Military Intelligence Focus¶
The automatic collection of mapping files is GuardZoo's defining feature from an intelligence perspective. KMZ files (Keyhole Markup Language, compressed) contain geographic annotations, map overlays, and location markers. WPT (waypoint), RTE (route), and TRK (track) files store GPS navigation data. For military personnel, these files represent operational planning data: patrol routes, checkpoint locations, base coordinates, and movement patterns.
The default collection threshold of files created since June 24, 2017 means GuardZoo sweeps up years of accumulated geographic data on first infection, providing the operator with historical military movement patterns in addition to current operational data.
C2 Architecture¶
| Component | Details |
|---|---|
| Backend | Custom ASP.NET application on IIS 10 |
| Protocol | HTTPS (transport encryption), cleartext request body |
| Legacy artifacts | URL paths retain ".php" extensions from Dendroid heritage |
| Command set | Over 60 distinct commands |
The cleartext request body over HTTPS means that while the transport layer is encrypted, the data structure itself is not obfuscated. Any operator with access to the C2 server sees raw data. This suggests the operators prioritized functional C2 over layered encryption, consistent with the modified commodity RAT approach.
Technical Details¶
Dendroid Modifications¶
GuardZoo's operators made substantial changes to the Dendroid RAT source:
| Aspect | Dendroid RAT (Original) | GuardZoo (Modified) |
|---|---|---|
| C2 backend | PHP web panel | Custom ASP.NET on IIS 10 |
| Command set | Basic RAT commands | Over 60 commands |
| Auto-collection | None | Automatic KMZ/WPT/RTE/TRK upload |
| Unused functions | Full Dendroid feature set | Stripped to reduce footprint |
| Target profile | Generic | Military personnel |
File Extension Targeting¶
The automatic collection targets specific file extensions used by GPS and mapping applications:
| Extension | Data Type |
|---|---|
| KMZ | Google Earth data (compressed KML), contains placemarks, overlays, geographic annotations |
| WPT | Waypoint files, GPS coordinate markers for specific locations |
| RTE | Route files, ordered sequences of waypoints defining a path |
| TRK | Track files, recorded GPS movement logs showing actual traveled paths |
These file types are commonly generated by military GPS devices, mapping applications, and navigation software. Collecting them provides the operator with both planned operations (routes, waypoints) and historical movements (tracks).
Target Regions¶
| Region | Details |
|---|---|
| Yemen | Primary target, highest concentration of victims |
| Saudi Arabia | Significant number of military personnel targeted |
| Egypt | Military targets |
| Oman | Military targets |
| UAE | Military targets |
| Qatar | Military targets |
| Turkey | Military targets |
Lookout identified over 450 victim IP addresses across these countries, with the majority located in Yemen. The targeting pattern aligns with Houthi intelligence priorities: the Yemeni civil war places Houthi forces against a Saudi-led coalition that includes personnel from all the listed countries. Many identified victims appear to be members of pro-Hadi (anti-Houthi) forces.
Notable Campaigns¶
October 2019: GuardZoo operations begin. The campaign starts with military-themed lure apps distributed through WhatsApp to armed forces personnel in Yemen and neighboring countries.
2019-2024: The campaign runs continuously for nearly five years, accumulating over 450 victims across seven Middle Eastern countries. Distribution relies on WhatsApp sharing within military circles, with lure apps regularly updated to match current military and religious themes.
July 2024: Lookout publicly discloses GuardZoo, detailing the Dendroid RAT lineage, Houthi attribution, military targeting, and automatic GPS/mapping file collection. The research reveals one of the longest-running mobile espionage campaigns attributed to a non-state conflict actor.
Related Families¶
GuardZoo's lineage from Dendroid RAT places it in the category of modified open-source tools repurposed for targeted operations. NGate follows a similar pattern, repurposing the academic NFCGate tool for criminal use. SpyNote represents another case where a publicly available RAT builder has been adopted by actors ranging from script kiddies to focused espionage operators.
GuardZoo's military-focused surveillance capabilities place it alongside PJobRAT, which also targets military personnel with fake apps distributed through social channels. Both families rely on social engineering for initial access, target specific professional communities, and prioritize intelligence collection over financial fraud. The key difference is GuardZoo's sustained five-year campaign duration, which far exceeds PJobRAT's operational windows.
In terms of espionage capability, GuardZoo operates below the level of commercial spyware like Pegasus or Predator, which use exploit chains for zero-click or one-click installation. GuardZoo compensates with targeted social engineering through trusted channels (WhatsApp groups within military units), achieving access through trust rather than technical exploitation. The approach resembles AridSpy's social engineering model, where trojanized functional apps are used to gain access to specific communities.