Kaspersky Lab experts have discovered a new wave of attacks by the RevengeHotels group. A distinctive feature of this campaign is that many of the new malware samples were created using AI.
RevengeHotels (aka TA558) has been active since 2015 and specializes in stealing hotel guests’ and travelers’ credit card data. Typically, the hackers send emails with phishing links that redirect visitors to sites disguised as document repositories. From these sites, malicious scripts are downloaded that infect the target computers.
The final payloads are various remote access Trojans (RATs) that allow attackers to control compromised systems, steal sensitive data, establish persistence within the infrastructure, and so on.
In the summer of 2025, researchers discovered new attacks by the group targeting hotels, involving increasingly sophisticated implants and tools. The primary targets were hotels in Brazil, but victims were also identified in several Spanish-speaking countries — Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain.
In previous campaigns, the RevengeHotels group targeted users in Russia, Belarus, Turkey, Malaysia, Italy, and Egypt.
This time, the attackers continued to send phishing emails (disguised as invoices, hotel room reservation requests, or job seeker inquiries for positions in the hospitality industry) to deliver VenomRAT using JavaScript- and PowerShell-based loaders.
According to the analysis, a significant portion of the code for initial compromise and implant delivery in these campaigns could have been generated using LLM agents. The researchers believe that the hackers are actively leveraging AI technologies to expand their capabilities.
It is noted that VenomRAT is an updated version of the open-source Trojan QuasarRAT, which was first discovered in mid-2020. VenomRAT is distributed on the dark web at a price of up to $650 for a lifetime license. Despite the leak of VenomRAT’s source code, it is still being sold and used by threat actors.
“While RevengeHotels’ signature remains recognizable, the attackers are refining their methods. In particular, a significant portion of the malicious code is believed to have been written using large language models (LLMs). This points to the active use of AI technologies to increase the efficiency of cyberattacks. It’s important to understand that banking and other sensitive data can be at risk even on the websites of large, well-known hotels, so you should always exercise caution,” comments Dmitry Galov, Head of Kaspersky GReAT in Russia.