Years of Deception: ClearSyksec´s Report on a Houthi-Yemeni Influence Network

[Introduction]

This week on our blog, we are presenting a new report by ClearSkySec that highlights a compelling case of a long-term influence operation. (1) This operation has demonstrated remarkable flexibility in its strategy while maintaining a consistent underlying infrastructure. As always, our focus remains on analyzing hostile influence activities and their mechanisms of operation.

[Background and Development of the Operation]

ClearSkySec first uncovered the campaign in 2019, when it was initially directed against Israeli audiences. Between 2019 and 2022, the focus shifted towards the Gulf states, particularly Saudi Arabia and the United Arab Emirates. During this period, no targeted activities against Israel were detected. However, since late 2024, the campaign has again pivoted toward Israel. While the technical methods employed have changed little over time, a shift in content strategy has been observed: instead of disseminating fabricated news, the operators now copy and redistribute authentic content from reputable sources.

[Key Findings]

The campaign has remained continuously active since 2019, demonstrating consistency in its operational techniques. Thematically, it still revolves around gossip and entertainment content. While fabricated news dominated early, the current strategy relies on real content from Israeli news outlets and social media. Content distribution is mainly done through fake profiles embedded in open Israeli Facebook community groups, seamlessly blending campaign messages into regular user activity.

Many of the domains created in 2019 are still operational, pointing to a long-term strategy. The campaign offers content in both Hebrew and Arabic, addressing different regional audiences. However, while the Hebrew content appears relatively professional, the Arabic material often lacks authenticity. No indications of malware deployment or watering hole attacks have been observed to date. Although the campaign’s objectives remain unclear, the infrastructure can be repurposed at any time for spreading disinformation, inducing fear, or delivering malware.

[Tactics, Techniques, and Procedures of the Campaign]

The operation's fundamental tactic seems to blend invisibly into existing social media ecosystems, gaining users' trust over time. The operators likely do not aim for immediate disruption but rather for sustained, low-visibility presence, maximizing influence potential while minimizing the risk of detection.

To achieve this, a series of well-established techniques is employed. Fake news websites, such as gool-live[.]com, were created to publish copied content sourced from legitimate Israeli news outlets and social media posts. In parallel, fake Facebook pages like “Celebrity News” were set up to post teaser texts and clickbait links leading back to these fake websites. Numerous fake Facebook profiles support this infrastructure, typically with generic English or transliterated Arabic names. These profiles show minimal personal activity and are primarily used to disseminate campaign materials across various groups. 

The procedures underpinning the operation are systematic. First, infrastructure is stablished: domains are registered using privacy protection services and frequently moved between Yemeni hosting providers to obfuscate ownership. Authentic content is then systematically harvested from reliable sources and published on fake websites. The dissemination process begins through dedicated Facebook pages and continues via fake profiles infiltrating open Israeli Facebook groups. Once inside the groups, the operators share identical posts to maximize visibility and simulate organic engagement. Content is tailored linguistically, with Hebrew posts targeting Israeli users and Arabic content directed toward audiences in the Gulf states. Over time, the fake profiles are maintained with minimal but carefully timed activity to give the impression of organic growth.

[Conclusion]

The Houthi-Yemeni influence campaign demonstrates how long-term operations can adapt tactics while preserving stable infrastructure and objectives. It offers a concrete example of how influential activities are embedded within target communities over extended periods with minimal visibility. ClearSkySec’s current report provides insights for understanding the dynamics and persistence of such operations. We also recommend reviewing ClearSky’s earlier reports on related campaigns to gain a broader perspective on the tactics and methods used in hostile influence efforts. (2)

Footnotes

(1)       ClearSky Security Ltd, 2025. Houthi-Yemeni Influence Campaign. [online] Available at: https://www.clearskysec.com/wp-content/uploads/2025/04/Houthi-Influence-Campaign-april-2025.pdf

(2)    ClearSky Security Ltd, 2019. Yemen-Based Disinformation Campaign Distributing Fake News in Israel and the Arab World. [online] Available at: https://www.clearskysec.com/yemen-disinformation-campaign/, and ClearSky points out similarities to an Iranian operation in 2019: ClearSky Cyber Security, 2018. Global Iranian Disinformation Operation. [online] Available at: https://www.clearskysec.com/global-iranian-disinformation-operation/