The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets.
Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels.
“The threat actors continue to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders,” the company said. “A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents.”
The findings demonstrate a new trend among cybercriminal groups to leverage artificial intelligence (AI) to bolster their tradecraft.
Known to be active since at least 2015, RevengeHotels has a history of hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems.
Early iterations of the threat actor’s campaigns were found to distribute emails with crafted Word, Excel, or PDF documents attached, some of which exploit a known remote code execution flaw in Microsoft Office (CVE-2017-0199) to trigger the deployment of Revenge RAT, NjRAT, NanoCoreRAT, and 888 RAT, as well as a piece of custom malware called ProCC.
Subsequent campaigns documented by Proofpoint and Positive Technologies have demonstrated the threat actor’s ability to refine their attack chains to deliver a wide range of RATs such as Agent Tesla, AsyncRAT, FormBook, GuLoader, Loda RAT, LokiBot, Remcos RAT, Snake Keylogger, and Vjw0rm.
The main goal of the attacks is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.
According to Kaspersky, the latest campaigns involve sending phishing emails written in Portuguese and Spanish bearing hotel reservation and job application lures to trick recipients into clicking on fraudulent links, resulting in the download of a WScript JavaScript payload.
“The script appears to be generated by a large language model (LLM), as evidenced by its heavily commented code and a format similar to those produced by this type of technology,” the company said. “The primary function of the script is to load subsequent scripts that facilitate the infection.”
This includes a PowerShell script, which, in turn, retrieves a downloader named “cargajecerrr.txt” from an external server and runs it via PowerShell. The downloader, as the name implies, fetches two additional payloads: a loader that’s responsible for launching the Venom RAT malware.
Based on the open-source Quasar RAT, Venom RAT is a commercial tool that’s offered for $650 for a lifetime license. A one-month subscription bundling the malware with HVNC and Stealer components, costs $350.
The malware is equipped to siphon data, act as a reverse proxy, and features an anti-kill protection mechanism to ensure that it runs uninterrupted. To accomplish this, it modifies the Discretionary Access Control List (DACL) associated with the running process to remove any permissions that could interfere with its functioning, and terminates any running process that matches any of the hard-coded processes.
“The second component of this anti-kill measure involves a thread that runs a continuous loop, checking the list of running processes every 50 milliseconds,” Kaspersky said.
“The loop specifically targets those processes commonly used by security analysts and system administrators to monitor host activity or analyze .NET binaries, among other tasks. If the RAT detects any of these processes, it will terminate them without prompting the user.”
The anti-kill feature also comes fitted with the ability to set up persistence on the host using Windows Registry modifications and re-run the malware anytime the associated process is not found in the list of running processes.
Should the malware be executed with elevated privileges, it proceeds to set the SeDebugPrivilege token and marks itself as a critical system process, thereby allowing it to persist even when there is an attempt to terminate the process. It also forces the computer’s display to remain on and prevents it from entering sleep mode.
Lastly, the Venom RAT artifacts incorporate capabilities to spread via removable USB drives and terminate the process associated with Microsoft Defender Antivirus, as well as tamper with the task scheduler and Registry to disable the security program.
“RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors,” Kaspersky said. “With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions.”
Source link
