A threat actor known as RevengeHotels has expanded its arsenal with a new remote access trojan (RAT) in recent attacks targeting the hospitality sector, Kaspersky reports.
Active since 2015 and also known as TA558, the hacking group has been focusing on stealing the credit card information of hotel guests and travelers.
RevengeHotels attacks typically start with phishing emails redirecting to websites that drop malicious scripts designed to infect the victims’ systems with various RAT families, allowing the attackers to steal sensitive information and maintain persistent access.
In previous attacks, the group was seen targeting hotels in multiple countries across Latin America with malware families such as 888 RAT, NanoCoreRAT, NjRAT, RevengeRAT, and the custom malware ProCC.
More recently, the threat actor added XWorm to its arsenal, and was also seen using DesckVBRAT in some operations.
In a campaign that Kaspersky observed in mid-2025, RevengeHotels switched to more sophisticated implants and tools, such as VenomRAT, and started using AI to build its JavaScript loaders and PowerShell downloaders.
The attacks started with phishing emails with invoicing lures targeting hotel reservations, urging the recipient to take care of overdue payments. More recently, the attackers started using fake job applications, sending résumés to the targeted hotels.
The victims were redirected to websites hosting malicious scripts containing code generated by AI. These scripts were designed to load additional scripts that would trigger malware infection.
“A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents. This suggests that the threat actor is now leveraging AI to evolve its capabilities, a trend also reported among other cybercriminal groups,” Kaspersky notes.
The infection chain leads to the deployment of VenomRAT, which allows attackers to control infected machines through a hidden virtual desktop session. The malware can harvest and exfiltrate files, sets up a reverse proxy, and can bypass User Account Control protections.
The malware can also spread via USB drives, by searching for removable drives and copying itself to them under the name My Pictures.exe.
According to Kaspersky, this fresh RevengeHotels campaign focused on hotels and front desks in Brazil. However, while most of the identified phishing emails were in Portuguese, some of them were in Spanish, suggesting that the hacking group might be expanding the operation to other regions.
Previously, the group was seen targeting establishments in Spanish-speaking countries such as Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain, as well as hotels in Russia, Belarus, and Turkey.
“RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors. With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions,” Kaspersky notes.
Related: Microsoft Warns of Hospitality Sector Attacks Involving ClickFix
Related: Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker
Related: North Korean Hackers Target macOS Users
Related: Why Sincerity Is a Strategic Asset in Cybersecurity
