Years of Deception: ClearSyksec´s Report on a Houthi-Yemeni Influence Network

[Introduction]

This week on our blog, we are presenting a new report by ClearSkySec that highlights a compelling case of a long-term influence operation. (1) This operation has demonstrated remarkable flexibility in its strategy while maintaining a consistent underlying infrastructure. As always, our focus remains on analyzing hostile influence activities and their mechanisms of operation.

[Background and Development of the Operation]

ClearSkySec first uncovered the campaign in 2019, when it was initially directed against Israeli audiences. Between 2019 and 2022, the focus shifted towards the Gulf states, particularly Saudi Arabia and the United Arab Emirates. During this period, no targeted activities against Israel were detected. However, since late 2024, the campaign has again pivoted toward Israel. While the technical methods employed have changed little over time, a shift in content strategy has been observed: instead of disseminating fabricated news, the operators now copy and redistribute authentic content from reputable sources.

[Key Findings]

The campaign has remained continuously active since 2019, demonstrating consistency in its operational techniques. Thematically, it still revolves around gossip and entertainment content. While fabricated news dominated early, the current strategy relies on real content from Israeli news outlets and social media. Content distribution is mainly done through fake profiles embedded in open Israeli Facebook community groups, seamlessly blending campaign messages into regular user activity.

Many of the domains created in 2019 are still operational, pointing to a long-term strategy. The campaign offers content in both Hebrew and Arabic, addressing different regional audiences. However, while the Hebrew content appears relatively professional, the Arabic material often lacks authenticity. No indications of malware deployment or watering hole attacks have been observed to date. Although the campaign’s objectives remain unclear, the infrastructure can be repurposed at any time for spreading disinformation, inducing fear, or delivering malware.

[Tactics, Techniques, and Procedures of the Campaign]

The operation's fundamental tactic seems to blend invisibly into existing social media ecosystems, gaining users' trust over time. The operators likely do not aim for immediate disruption but rather for sustained, low-visibility presence, maximizing influence potential while minimizing the risk of detection.

To achieve this, a series of well-established techniques is employed. Fake news websites, such as gool-live[.]com, were created to publish copied content sourced from legitimate Israeli news outlets and social media posts. In parallel, fake Facebook pages like “Celebrity News” were set up to post teaser texts and clickbait links leading back to these fake websites. Numerous fake Facebook profiles support this infrastructure, typically with generic English or transliterated Arabic names. These profiles show minimal personal activity and are primarily used to disseminate campaign materials across various groups. 

The procedures underpinning the operation are systematic. First, infrastructure is stablished: domains are registered using privacy protection services and frequently moved between Yemeni hosting providers to obfuscate ownership. Authentic content is then systematically harvested from reliable sources and published on fake websites. The dissemination process begins through dedicated Facebook pages and continues via fake profiles infiltrating open Israeli Facebook groups. Once inside the groups, the operators share identical posts to maximize visibility and simulate organic engagement. Content is tailored linguistically, with Hebrew posts targeting Israeli users and Arabic content directed toward audiences in the Gulf states. Over time, the fake profiles are maintained with minimal but carefully timed activity to give the impression of organic growth.

[Conclusion]

The Houthi-Yemeni influence campaign demonstrates how long-term operations can adapt tactics while preserving stable infrastructure and objectives. It offers a concrete example of how influential activities are embedded within target communities over extended periods with minimal visibility. ClearSkySec’s current report provides insights for understanding the dynamics and persistence of such operations. We also recommend reviewing ClearSky’s earlier reports on related campaigns to gain a broader perspective on the tactics and methods used in hostile influence efforts. (2)

Footnotes

(1)       ClearSky Security Ltd, 2025. Houthi-Yemeni Influence Campaign. [online] Available at: https://www.clearskysec.com/wp-content/uploads/2025/04/Houthi-Influence-Campaign-april-2025.pdf

(2)    ClearSky Security Ltd, 2019. Yemen-Based Disinformation Campaign Distributing Fake News in Israel and the Arab World. [online] Available at: https://www.clearskysec.com/yemen-disinformation-campaign/, and ClearSky points out similarities to an Iranian operation in 2019: ClearSky Cyber Security, 2018. Global Iranian Disinformation Operation. [online] Available at: https://www.clearskysec.com/global-iranian-disinformation-operation/

DISCLAIMER

Copyright and License of Product 

This report (the "Product") is the property of Cyfluence Research Center gGmbH ("Cyfluence") and is protected by German and international copyright laws. The User is granted a limited, non-transferable license to use the Product solely for internal purposes. Reproduction, redistribution, or disclosure of the Product, in whole or in part, without prior written consent from Cyfluence is strictly prohibited. All copyright, trademark, and proprietary notices must be maintained.

Disclaimer of Warranties

The Product is provided "as is" without warranties of any kind, express or implied, including but not limited to warranties of merchantability or fitness for a particular purpose. Although Cyfluence takes reasonable measures to screen for viruses and harmful code, it cannot guarantee the Product is free from such risks.

Accuracy of Information 

The information in the Product has been obtained from sources believed to be reliable. However, Cyfluence does not guarantee the information's accuracy, completeness, or adequacy. The User assumes full responsibility for how they use and interpret the Product. Cyfluence is not liable for errors or omissions; opinions may change without notice.

Limitation of Liability

To the fullest extent permitted by law, Cyfluence shall not be liable for any direct, indirect, incidental, or consequential damages, including lost profits or data, arising from the use of or inability to use the Product, even if advised of such possibilities. Liability for intent or gross negligence remains unaffected under German law.

Indemnification

The User agrees to indemnify and hold harmless Cyfluence, its affiliates, licensors, and employees from any claims or damages arising from the User’s use of the Product or violation of these terms.

Third-Party Rights

The provisions regarding Disclaimer of Warranties, Limitation of Liability, and Indemnification extend to Cyfluence, its affiliates, licensors, and their agents, who have the right to enforce these terms.

Governing Law and Jurisdiction 

This Agreement is governed by German law, and any disputes shall be resolved exclusively in the courts of Berlin. If any provision is found invalid, the remaining terms remain in full effect.