RevengeHotels Leveraging AI To Attack Windows Users With VenomRAT

RevengeHotels, a financially motivated threat group active since 2015, has escalated its operations against hospitality organizations by integrating large language model–generated code into its infection chain.

Initially known for deploying bespoke RAT families such as RevengeRAT and NanoCoreRAT via phishing emails targeting hotel front-desk systems, the group’s latest campaigns pivot on delivering VenomRAT implants through dynamically generated JavaScript loaders and PowerShell downloaders.

These sophisticated initial infectors mimic professional development standards, embedding detailed comments and variable placeholders that suggest automated code generation.

In recent months, operators have specifically targeted Brazilian hospitality networks, though Spanish-language lures have expanded the scope to Spanish-speaking markets in Latin America.

Emails masquerading as overdue invoice notifications or fake job applications entice recipients to visit malicious domains, which host scripts named in a rotating “Fat{NUMBER}.js” format—Portuguese for “invoice”—to initiate the download process.

Upon execution, the loader decodes an obfuscated buffer and writes a PowerShell file with a timestamped filename, ensuring each sample remains unique and evades signature-based detections.

Securelist analysts noted that these rotating filenames and the coherence of the generated code mark a departure from the group’s prior manual obfuscation efforts.

Once the PowerShell stub executes, it retrieves two Base64-encoded payloads—venumentrada.txt and runpe.txt—from remote servers.

The first file serves as a lightweight loader, while the second executes the VenomRAT payload directly in memory.

Securelist researchers identified that the loader employs a simple deobfuscation routine, as shown in Figure 1, to decode and invoke the implant without ever writing the final executable to disk.

The VenomRAT implant itself builds upon the open-source QuasarRAT codebase, augmenting it with hidden desktop (HVNC), file-stealing modules, and UAC bypass primitives.

Configuration data is encrypted with AES-CBC and authenticated via HMAC-SHA256, using distinct keys for decryption and integrity verification.

Networking routines serialize action-specific packets, compress them with LZMA, and encrypt with AES-128 before transmission to the command-and-control server.

Notably, VenomRAT integrates ngrok-based tunneling to expose RDP and VNC services, enhancing remote access capabilities even through NAT or firewall constraints.

Infection Mechanism

The infection chain’s success hinges on the initial JavaScript loader’s ability to orchestrate multi-stage payload delivery while blending AI-generated clarity with manual obfuscation.

After the phishing email’s user clicks the malicious link, the victim’s browser fetches a WScript JS file—Fat146571.js—which immediately decodes an embedded blob:-

var decoded = atob("SGDoHBZQWpL...");
// Write decoded PowerShell to disk
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ps1 = fso.CreateTextFile("SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_" + Date.now() + ".ps1", true);
ps1.WriteLine(decoded);
ps1.Close();
// Execute the PowerShell script silently
WScript.CreateObject("WScript.Shell").Run("powershell -ExecutionPolicy Bypass -File " + ps1.Name, 0, false);

This segment exemplifies the AI’s role in producing clean, maintainable code that nonetheless performs malicious actions.

By generating unique filenames based on timestamps and avoiding persistent artifacts, the loader evades conventional antivirus and forensic tools.

The three-phase execution—decode, write, and execute—ensures that each infection instance differs, complicating detection signature updates.

Through this blend of AI-driven scripting and advanced RAT capabilities, RevengeHotels continues to refine its arsenal against Windows environments, posing a growing challenge to cybersecurity defenders.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free