Houthi Influence Campaign: Deceptive Tactics on Facebook Target Israel and Gulf States

In a recent cybersecurity analysis, ClearSky’s team uncovered a persistent influence campaign originating from Yemen/Houthi, targeting Israel and Gulf states. The campaign, initially exposed in 2019, has demonstrated a prolonged effort in building a complex infrastructure of fake websites, Facebook pages, and social media profiles.

What makes this operation uniquely insidious is its camouflage: the campaign relies on gossip-style news content, copied from legitimate Israeli media sources, and published on fake websites. These articles are then reposted using forged Facebook personas inside real Israeli community groups.

“The Facebook group created by the campaign operators publishes short posts with a link (clickbait)… where the copied article appears.”

Fake domains like gool-live[.]com host these articles in Hebrew for Israeli audiences and Arabic for Gulf state readers, attempting to blend into both linguistic ecosystems.

The operation makes extensive use of fabricated assets:

• Fake Facebook pages, such as “Celebrity News” (“חדשות סלבריטאים”), are seeded with cloned articles and Arabic-language interactions.
• Dozens of false personas, including names like “Sarah Sarah” and Arabic-script identities, repost links across large public Facebook groups.
• These fake users have no real engagement history beyond campaign activity, suggesting purely functional creation.

“The page, which poses as a Hebrew-language page, responded using the Arabic word “@followers”(from Arabic: @متابعين(. This indicates that the page operator’s Facebook interface is set to Arabic.”

The personas are embedded in high-member Facebook communities—some unrelated to news, like local “buy/sell” groups or neighborhood boards in cities such as Be’er Sheva and Ramat Gan. The aim: maximize exposure and blur the line between real and fake engagement.

“The fake profiles repost identical messages originally published on the campaign’s fake Facebook pages… allowing the operators to distribute messages efficiently.”

ClearSky linked the campaign to dozens of active domains, some dating back to 2019, all registered under aliases and often hosted by Yemen-based providers. The domain gool-live[.]com serves as a prime example, featuring low-quality design and visible inconsistencies that betray its foreign origin.

No malicious code or malware was detected, but ClearSky warns that the infrastructure is already positioned for potential future attacks.

“It may later be used to spread fear-inducing messages or malicious content… or insert malicious scripts into their websites.”

Unlike traditional cyberattacks, this campaign relies on psychological influence and cultural manipulation, possibly aiming to:

• Distort local discourse
• Erode trust in digital content
• Establish rapport for later disinformation or phishing attacks

The report advises increased vigilance and awareness of these tactics. Users should verify the credibility of sources and be cautious of clickbait links and suspicious social media profiles.

Related Posts:

• North Korean IT Workers Pose as Developers on GitHub to Infiltrate Global Companies
• Iranian APT hacker organisation falsifies Israeli security companies official website to implement phishing activities
• Right-Click to Hack: Zero-Day CVE-2024-43451 Vulnerability Targets Windows Users
• Earth Simnavaz Exploits Windows Kernel Flaw CVE-2024-30088 in Attacks on Critical Infrastructure