"In a campaign that Kaspersky observed in mid-2025, RevengeHotels switched to more sophisticated implants and tools, such as VenomRAT, and started using AI to build its JavaScript loaders and PowerShell downloaders. The attacks started with phishing emails with invoicing lures targeting hotel reservations, urging the recipient to take care of overdue payments. More recently, the attackers started using fake job applications, sending résumés to the targeted hotels."
"RevengeHotels attacks typically start with phishing emails redirecting to websites that drop malicious scripts designed to infect the victims' systems with various RAT families, allowing the attackers to steal sensitive information and maintain persistent access. In previous attacks, the group was seen targeting hotels in multiple countries across Latin America with malware families such as 888 RAT, NanoCoreRAT, NjRAT, RevengeRAT, and the custom malware ProCC. More recently, the threat actor added XWorm to its arsenal, and was also seen using DesckVBRAT in some operations."
RevengeHotels targets the hospitality sector to steal hotel guest and traveler credit card information. Attacks begin with phishing emails that redirect victims to websites hosting malicious scripts which drop remote access trojans. The group has employed numerous RAT families including 888 RAT, NanoCoreRAT, NjRAT, RevengeRAT, ProCC, XWorm, DesckVBRAT and more recently VenomRAT. Campaign lures include invoicing notices and fake job applications with résumés. The threat actor has started using AI to generate JavaScript loaders and PowerShell downloaders, enabling more sophisticated initial infectors and persistent access for data exfiltration.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]