"Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels. The threat actors continue to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders, the company said. A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents."
"RevengeHotels has a history of hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Early iterations of the threat actor's campaigns were found to distribute emails with crafted Word, Excel, or PDF documents attached, some of which exploit a known remote code execution flaw in Microsoft Office ( CVE-2017-0199) to trigger the deployment of Revenge RAT, NjRAT, NanoCoreRAT, and 888 RAT, as well as a piece of custom malware called ProCC."
Kaspersky observed TA558 activity in summer 2025 linked to a cluster tracked as RevengeHotels targeting hotels in Brazil and Spanish-speaking markets. The group used invoice-themed phishing emails to deliver Venom RAT via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code appears to be generated by large language model (LLM) agents. RevengeHotels has targeted hospitality and travel organizations in Latin America since at least 2015. Earlier campaigns used malicious Word, Excel, or PDF attachments and exploited CVE-2017-0199 to deploy multiple RATs and custom malware. The primary objective is theft of guests' and OTAs' credit card data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]