Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

GuardZoo (Trojan) – Malware

January 28, 2025
Reading Time: 4 mins read
in Malware
GuardZoo (Trojan) – Malware

GuardZoo

Type of Malware

Trojan

Date of initial activity

2019

Targeted Countries

Egypt
Oman
Qatar
Saudi Arabia
Turkey
U.A.E.
Yemen

Motivation

Cyberwarfare

Attack Vectors

Phishing
Web Browsing

Targeted Systems

Android

Overview

GuardZoo is a sophisticated piece of Android surveillanceware identified by Lookout, specifically designed to target military personnel across several Middle Eastern countries, including Yemen, Saudi Arabia, Egypt, and Oman. First detected in October 2019, GuardZoo remains active and continues to evolve, leveraging military-themed lures to entice its victims. The malware’s attribution to a Yemeni, Houthi-aligned threat actor underscores the increasing complexity and geopolitical implications of cyber threats in the region. The malware is based on the well-known Dendroid RAT spyware, which has been extensively modified to enhance its functionality and evade detection. GuardZoo exhibits advanced capabilities, allowing it to collect sensitive data such as photographs, documents, GPS coordinates, and device-specific information, including the model and cellular service provider. This data collection is not just limited to surveillance; the malware also facilitates the deployment of additional invasive payloads, further compromising the security of infected devices. GuardZoo’s distribution methods primarily involve popular messaging platforms like WhatsApp and direct downloads from malicious websites, making it particularly insidious. The strategic targeting of military personnel highlights the malware’s potential to undermine national security and expose sensitive information. As cyber threats continue to evolve, GuardZoo serves as a stark reminder of the vulnerabilities inherent in mobile technology and the urgent need for enhanced cybersecurity measures in military and governmental operations.

Targets

Public Administration

How they operate

The malware is primarily distributed through social engineering tactics, leveraging military-themed applications that appeal to potential victims. GuardZoo utilizes various lures, including titles related to military strategy and training, to entice users into downloading the malicious software. Once installed, GuardZoo takes advantage of its connection to command and control (C2) servers, which are hosted on dynamic DNS domains linked to YemenNet. Upon activation, the malware immediately contacts its C2 servers to retrieve commands and initiate data collection processes. At its core, GuardZoo is built on the Dendroid Remote Access Trojan (RAT), a commodity spyware that has undergone significant modifications since its initial leak in 2014. The threat actor has tailored the GuardZoo codebase to enhance its capabilities while removing obsolete functions. This customization includes the ability to receive over 60 commands from the C2 server, allowing for extensive control over the infected device. Commands range from collecting files with specific extensions to monitoring GPS data, which is particularly relevant for military personnel who may rely on mobile devices for operational planning. One notable feature of GuardZoo is its ability to achieve persistence on infected devices. It employs techniques such as boot and logon autostart execution, ensuring that the malware remains active even after device reboots. This persistence is critical for the threat actor, as it allows continuous monitoring and data collection without interruption. Additionally, GuardZoo can download and dynamically load external DEX files from the C2, enabling updates or changes to its functionality without requiring a full application update. This modular approach enhances the malware’s resilience and adaptability to countermeasures. The exfiltration of data is another critical aspect of GuardZoo’s operation. The malware collects a wide range of sensitive information, including photographs, documents, and metadata related to files on the device. Specifically, it targets files with extensions associated with GPS mapping, such as KMZ and WPT, which can provide valuable location intelligence. The C2 communication occurs over HTTPS, although the data transmitted within the request body is in cleartext, allowing for potential interception. This combination of data collection and transmission tactics makes GuardZoo a formidable threat to its targeted audience. In summary, GuardZoo exemplifies the evolving nature of mobile threats and the sophisticated tactics employed by state-aligned actors. Its reliance on social engineering for initial access, combined with robust capabilities for data collection, persistence, and command execution, highlights the need for heightened awareness and improved cybersecurity measures among potential targets. As malware like GuardZoo continues to evolve, understanding its technical operation is vital for developing effective defenses against such advanced threats.

MITRE Tactics and Techniques

Initial Access (T1078 – Valid Accounts):
GuardZoo uses social engineering techniques to lure victims into installing the malware, often leveraging military-themed applications or messages to gain their trust.
Execution (T1203 – Exploitation for Client Execution):
The malware executes its payload when the victim interacts with malicious content, such as downloading and installing the application.
Persistence (T1547 – Boot or Logon Autostart Execution):
GuardZoo implements techniques that ensure its persistence on the device, allowing it to survive reboots and remain active even after attempts to remove it.
Privilege Escalation (T1068 – Exploitation for Privilege Escalation):
The malware may exploit vulnerabilities in the Android operating system to gain elevated privileges, enabling it to access more sensitive data and functions.
Credential Access (T1552 – Unsecured Credentials):
By monitoring and collecting data, GuardZoo can exfiltrate sensitive credentials stored on the device.
Discovery (T1083 – File and Directory Discovery):
The malware scans the device to identify and catalog files, particularly those with specific extensions related to GPS and mapping.
Collection (T1005 – Data from Local System):
GuardZoo collects various types of data, including documents, photos, and device location information.
Command and Control (T1071 – Application Layer Protocol):
The malware communicates with its command and control (C2) servers over HTTPS, sending collected data and receiving commands.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel):
GuardZoo exfiltrates collected data back to the C2 server, ensuring that sensitive information is transferred to the threat actor.
Impact (T1499 – Endpoint Denial of Service):
By deploying additional invasive payloads, GuardZoo can disrupt device functionality and create denial of service conditions for the user.  
References:
  • Lookout Discovers Houthi Surveillanceware Targeting Middle Eastern Militaries
Tags: AndroidDendroidEgyptGuardZooMalwareOmanSaudi ArabiaspywareTrojansYemen
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial