CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

TA558 Delivers Venom RAT via AI-Generated Scripts in Hotel Attacks

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

TA558, a threat actor tracked as RevengeHotels, has been observed deploying Venom RAT in attacks against hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts in phishing emails to deliver the malware. The attacks aim to capture credit card data from guests and travelers. The threat actor has been active since at least 2015, targeting hospitality and travel organizations in Latin America. The latest campaigns involve phishing emails written in Portuguese and Spanish, using hotel reservation and job application lures. The malware includes anti-kill mechanisms and persistence techniques to ensure uninterrupted operation.

Timeline

  1. 17.09.2025 21:30 πŸ“° 1 articles Β· ⏱ 2d ago

    TA558 Deploys Venom RAT in Hotel Attacks Using AI-Generated Scripts

    In summer 2025, TA558, tracked as RevengeHotels, was observed delivering Venom RAT via AI-generated scripts in phishing emails targeting hotels in Brazil and Spanish-speaking markets. The malware includes advanced anti-kill mechanisms and persistence techniques to capture credit card data from guests and travelers.

    Show sources

Information Snippets

Similar Happenings

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals. The phishing kits mimic official Microsoft communications, use Microsoft branding, and impersonate trusted brands to deceive users. The kits can target up to 9,000 email addresses with automated phishing attacks and offer services such as spam and email security filter bypassing. The group's organizational structure includes specialized roles for development, sales, and customer support, and they registered domains using fictitious names to mask their activities.

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying various remote access trojans (RATs). The campaign uses convincing phishing pages and personalized emails to lure victims into downloading malicious JavaScript files. The attack impacts multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality. The campaign is notable for its complexity and the use of advanced techniques to evade detection. The campaign has been linked to Russian ransomware groups using a new malware loader called CountLoader, which delivers post-exploitation tools and RATs. The attack chain begins with a small, obfuscated script that redirects victims to spoofed sites. The malware delivered includes PureHVNC, DCRat, and Babylon RAT, providing long-term access to the organization's networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The phishing campaign targets specific countries, including Austria, Belarus, Canada, Egypt, India, and Pakistan. The attack chain begins with phishing emails using themes related to voicemail messages and purchase orders. The phishing pages display the victim's domain string and logo to reinforce authenticity. The payload is a ZIP archive containing an obfuscated JavaScript file that performs anti-analysis checks. UpCrypter is also distributed as an MSIL loader that performs anti-analysis and anti-virtual machine checks. The attack culminates with the script embedding data from a DLL loader and the payload during execution, minimizing forensic traces. Threat actors are using living-off-trusted-sites (LOTS) techniques, leveraging legitimate services like Microsoft 365 Direct Send and OneNote. Attackers use client-side evasion techniques in phishing pages, including JavaScript-based blocking and Browser-in-the-Browser (BitB) templates.