The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets.
Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels.
“The threat actors continue to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders,” the company said. “A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents.”
The findings demonstrate a new trend among cybercriminal groups to leverage artificial intelligence (AI) to bolster their tradecraft.
Known to be active since at least 2015, RevengeHotels has a history of hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems.
Early iterations of the threat actor’s campaigns were found to distribute emails with crafted Word, Excel, or PDF documents attached, some of which exploit a known remote code execution flaw in Microsoft Office (CVE-2017-0199) to trigger the deployment of Revenge RAT, NjRAT, NanoCoreRAT, and 888 RAT, as well as a piece of custom malware called ProCC.
Subsequent campaigns documented by Proofpoint and Positive Technologies have demonstrated the threat actor’s ability to refine their attack chains to deliver a wide range of RATs such as Agent Tesla, AsyncRAT, FormBook, GuLoader, Loda RAT, LokiBot, Remcos RAT, Snake Keylogger, and Vjw0rm.
The main goal of the attacks is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.
According to Kaspersky, the latest campaigns involve sending phishing emails written in Portuguese and Spanish bearing hotel reservation and job application lures to trick recipients into clicking on fraudulent links, resulting in the download of a WScript JavaScript payload.
“The script appears to be generated by a large language model (LLM), as evidenced by its heavily commented code and a format similar to those produced by this type of technology,” the company said. “The primary function of the script is to load subsequent scripts that facilitate the infection.”
This includes a PowerShell script, which, in turn, retrieves a downloader named “cargajecerrr.txt” from an external server and runs it via PowerShell. The downloader, as the name implies, fetches two additional payloads: a loader that’s responsible for launching the Venom RAT malware.
Based on the open-source Quasar RAT, Venom RAT is a commercial tool that’s offered for $650 for a lifetime license. A one-month subscription bundling the malware with HVNC and Stealer components, costs $350.
The malware is equipped to siphon data, act as a reverse proxy, and features an anti-kill…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
