RevengeHotels Strikes Back: AI-Generated Phishing and a New RAT Target Hotels

The long-running cybercrime group RevengeHotels—also tracked as TA558—has resurfaced with a new campaign targeting hotels and the wider hospitality sector. First active since 2015, the group has specialized in stealing credit card data from hotel guests and travelers, often through phishing and remote access Trojan (RAT) implants.

According to Kaspersky Labs, “RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers.”

The latest campaigns, observed in summer 2025, are more sophisticated than ever before. The group continues to rely on phishing emails—often themed around invoices or overdue payments—but with a modern twist: much of the loader code now appears to be generated by large language models (LLMs).

Kaspersky researchers note, “A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents. This suggests that the threat actor is now leveraging AI to evolve its capabilities, a trend also reported among other cybercriminal groups.”

The AI-generated scripts are cleaner, well-commented, and include placeholders for customization—making them easy for attackers to adapt, while harder for defenders to distinguish from benign automation scripts.

Victims who click malicious links are redirected to fake document storage websites, which drop a JavaScript loader. The loader, typically named in Portuguese as Fat{NUMBER}.js (“fatura” = invoice), decodes a PowerShell script that downloads additional payloads.

These payloads eventually deliver VenomRAT, an advanced RAT derived from QuasarRAT but enhanced with:

• HVNC hidden desktop access
• Credential and file theft
• Reverse proxy capabilities
• Anti-kill protection against analyst tools
• Persistence via registry keys and process monitoring

Kaspersky highlights, “The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence.”

VenomRAT includes a series of advanced evasion and persistence techniques:

• Anti-kill measures: It terminates security tools every 50ms and marks itself as a critical system process if run with admin rights.
• Disabling Windows Defender: The RAT directly kills Defender processes and disables features in the registry.
• USB Worming: Copies itself to removable drives under the name My Pictures.exe.
• Event Log Clearing & Zone Identifier Removal: Erases digital traces to frustrate forensic analysis.

As Kaspersky describes, “The malware clears all Windows event logs on the compromised system, effectively creating a ‘clean slate’ for its operations.”

While Brazilian hotels remain the primary target, RevengeHotels is broadening its horizons. Campaigns have increasingly included Spanish-language phishing emails, signaling expansion into Latin American and Spanish-speaking markets such as Argentina, Mexico, Chile, Costa Rica, and Spain.

In past operations, the group also hit hotels in Russia, Belarus, and Turkey, though no such cases have been seen in the current campaign.

The resurgence of RevengeHotels demonstrates how traditional cybercrime tactics are evolving through AI. By leveraging large language models to generate convincing and modular phishing tools, the group has strengthened its ability to compromise hotel front desks and siphon sensitive data at scale.

Kaspersky concludes, “RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors. With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions.”

As hotels increasingly digitize their operations, the hospitality sector remains a lucrative target for financially motivated cybercriminals.

Related Posts:

• Hacker can use hotel key cards to penetrate into rooms
• Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
• Travelers Targeted: Booking.com Phishing Scam Unveiled
• Xiaomi Prioritizes Privacy: HyperOS 2.0 to Detect Hidden Cameras