- Hackers identified as TA558 have targeted hotels in Brazil and Spanish-speaking countries using remote access trojans (RATs).
- Kaspersky connected the attacks to the RevengeHotels group, who use Artificial Intelligence (AI) tools to generate malicious code.
- The group distributes phishing emails that appear as invoices or job applications, using JavaScript and PowerShell scripts as Malware loaders.
- The main target is credit card information stored by hotels and travel agencies, often obtained through phishing campaigns in Portuguese and Spanish.
- The malware, including Venom RAT, features anti-detection and persistence tools, and can disable security software and spread through USB devices.
Attackers known as TA558 have launched a new wave of cyber attacks against hotels in Brazil and other Spanish-speaking regions, aiming to plant remote access trojans on their systems. These campaigns rely on phishing emails that trick hotel staff into clicking links that install malware designed to steal sensitive data.
Researchers at Kaspersky said the activity, observed in summer 2025, points to the RevengeHotels group. This group has a history of targeting the hotel and hospitality industry in Latin America with the goal of stealing credit card data from guests and online travel agencies. According to Kaspersky, the attackers’ recent campaigns use phishing emails in both Portuguese and Spanish, posing as hotel reservations or job offers.
The phishing emails carry JavaScript files that appear to be generated by artificial intelligence (AI), specifically large language models (LLMs). “A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents,” Kaspersky stated. The scripts lead to the download of more malware files, including PowerShell scripts and payloads for Venom RAT.
Venom RAT is a commercially sold remote access tool capable of stealing data, operating as a reverse proxy, and protecting itself from removal or detection. The malware modifies user permissions and actively stops any processes that could analyze or prevent its activity. “The loop specifically targets those processes commonly used by security analysts and system administrators… If the RAT detects any of these processes, it will terminate them without prompting the user,” Kaspersky reported.
The software also ensures it remains on infected systems by changing registry settings and quickly re-installing itself if removed. If it runs with admin privileges, it marks itself as a critical system process, making it harder to remove. Venom RAT can also spread through USB drives and attempts to disable Microsoft Defender Antivirus by editing system processes and registry settings.
RevengeHotels has adapted its attack methods over the years, moving from sending malicious Office attachments to using AI-generated scripts and a wider variety of RATs, including Agent Tesla and LokiBot. Kaspersky warns that these developments signal a new phase in cyberattacks on the hospitality industry, strengthened by AI-generated malware and phishing lures. For technical details, see Kaspersky’s official analysis here.
The ongoing campaign highlights the risks facing hotels and travel businesses as cybercriminal groups like RevengeHotels improve their tactics and increase the sophistication of their attacks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Compound DAO Rejects $13M Token Clawback, 70% Vote Against Proposal
- Pump Fun Streams Feature Gaza Pleas, Stunts, and Memecoin Hype
- MoneyGram Launches Stablecoin Remittance App in Colombia
- Chinese Yuan Usage Doubles as De-Dollarization Gains Momentum
- Fed Decision Looms, CZ Teases Return, Creator Coins Tumble
