Ethical Hacking News
RevengeHotels, a new threat actor, has been linked to recent hotel attacks in Brazil and Spanish-speaking markets using AI-generated scripts to deploy Venom RAT malware. The group's use of artificial intelligence demonstrates an increased reliance on automation and custom tools in their campaigns, making it more challenging for defenders to keep up with their tactics.
The new threat actor "RevengeHotels" has been linked to a series of attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts, including large language model (LLM) agents, to automate their campaigns. RevengeHotels' modus operandi involves sending phishing emails with invoice themes to deliver remote access trojans (RATs). The primary goal of the attacks is to capture credit card data from hotel systems and online travel agencies. The Venom RAT malware has advanced features, including data siphoning capabilities and anti-kill protection mechanisms.
The threat landscape is constantly evolving, and one of the most recent developments that has caught the attention of cybersecurity experts is the emergence of a new threat actor known as RevengeHotels. This group has been attributed to a series of attacks in which they have deployed various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets.
According to Russian cybersecurity vendor Kaspersky, the activity observed in summer 2025 is tracked under the cluster RevengeHotels. The group's modus operandi involves sending phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders. The initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents.
This trend among cybercriminal groups to leverage artificial intelligence (AI) to bolster their tradecraft is a significant development in the world of cybersecurity. RevengeHotels' use of AI-generated scripts demonstrates an increased reliance on automation and custom tools in their campaigns, making it more challenging for defenders to keep up with their tactics.
The group's history dates back to at least 2015, during which they have distributed emails with crafted Word, Excel, or PDF documents attached. Some of these attachments exploit a known remote code execution flaw in Microsoft Office (CVE-2017-0199) to trigger the deployment of Revenge RAT, NjRAT, NanoCoreRAT, and 888 RAT, as well as custom malware called ProCC.
Subsequent campaigns documented by Proofpoint and Positive Technologies have shown that RevengeHotels has refined their attack chains to deliver a wide range of RATs such as Agent Tesla, AsyncRAT, FormBook, GuLoader, Loda RAT, LokiBot, Remcos RAT, Snake Keylogger, and Vjw0rm. The primary goal of the attacks is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.
According to Kaspersky, the latest campaigns involve sending phishing emails written in Portuguese and Spanish bearing hotel reservation and job application lures to trick recipients into clicking on fraudulent links. This results in the download of a WScript JavaScript payload.
The Venom RAT malware is equipped with advanced features including data siphoning capabilities, acting as a reverse proxy, an anti-kill protection mechanism, and persistence mechanisms using Windows Registry modifications. If executed with elevated privileges, the malware sets the SeDebugPrivilege token, marks itself as a critical system process, forces the computer's display to remain on, prevents it from entering sleep mode, and disables Microsoft Defender Antivirus.
The group has significantly enhanced its capabilities by developing new tactics to target the hospitality and tourism sectors. RevengeHotels' use of AI-generated scripts demonstrates an increased reliance on automation and custom tools in their campaigns, making it more challenging for defenders to keep up with their tactics.
Kaspersky stated that "RevengeHotels has continued to employ phishing emails with invoice themes to deliver Venom RAT implants via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents."
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-RevengeHotels-A-New-Threat-Actor-Leveraging-AI-Generated-Scripts-to-Deploy-Malware-ehn.shtml
Published: Wed Sep 17 17:25:56 2025 by llama3.2 3B Q4_K_M
