TA558 Deploys Venom RAT Using AI-Generated Scripts Against Hotels in Brazil and Spanish-Speaking Markets

Overview

Russian security vendor Kaspersky has attributed a fresh campaign to the threat actor tracked as TA558 that delivered multiple remote access trojans (RATs), including Venom RAT, to breach hotels in Brazil and other Spanish-speaking markets. Kaspersky observed the activity in the summer of 2025 and classifies the cluster under the label “RevengeHotels.”

“Kaspersky is tracking the activity … to a cluster it tracks as RevengeHotels.”

According to reporting, the group has been using phishing emails with invoice-themed lures and is leveraging AI-generated scripts to automate or obfuscate parts of the attack chain. The use of AI in this context raises operational and detection challenges for defenders in hospitality and related sectors.

Background and context: why this matters

The hospitality sector has long been a target for financially motivated cybercrime: hotels process payment card transactions, store guest personal data, and often run a mix of legacy and third-party systems that can complicate security. Successful intrusions in this sector can yield immediate financial gain through payment fraud as well as long-term value through resale of credentials and personal data.

• TA558 is one of many threat actors that rely on social engineering and commodity malware—RATs, loaders, and information stealers—to establish persistence and access.
• Venom RAT is a type of remote access tool that lets attackers execute commands, harvest credentials, and move laterally once an endpoint is compromised; its appearance in this campaign signals objectives tied to remote control and data collection rather than only ransomware deployment.
• The reported use of AI-generated scripts reflects a growing trend where threat actors adopt generative tools to produce polymorphic code, evade static detection, and scale phishing content.

Technical analysis and expert commentary for practitioners

Based on the observed elements reported by Kaspersky, defenders should consider both the behavior and delivery mechanisms implied by the campaign. Key technical points and practitioner-focused analysis include:

• Delivery: Invoice-themed phishing remains a high-success social-engineering vector. Attackers may send tailored emails that mimic supplier invoices or booking confirmations to entice recipients to open attachments or enable embedded content.
• Payloads: Venom RAT and similar remote access tools are used to maintain persistence and perform lateral movement, reconnaissance, and data exfiltration. Detection should emphasize behavior (command execution patterns, unusual outbound connections) over signatures alone.
• AI-generated scripts: When adversaries use generative tools to produce scripts or obfuscated code, static signature detection degrades. AI can introduce syntactic variability and non-standard coding idioms that foil pattern matching while preserving malicious semantics.
• Operational tempo: AI-assisted generation can accelerate campaign rollout and make phishing messages more believable (e.g., by generating localized language or context-aware text), which increases the need for automated defenses that operate at scale.

Practitioners should prioritize telemetry that highlights anomalous behavior: unexpected PowerShell or script host activity, scripts spawned from email client processes, and unusual DNS or HTTP(S) connections to new domains. Endpoint detection and response (EDR) solutions with behavioral analytics are better positioned to surface such activity than signature-only tools.

Comparable trends and industry context

The use of commodity RATs and phishing as primary intrusion vectors is well established across multiple verticals, including hospitality. Two broader, non-controversial trends relevant to this campaign are:

• Increased weaponization of generative AI: Since 2023–2024, security researchers and industry analysts have publicly discussed threat actors experimenting with AI to generate phishing text, code snippets, and scripts that automate parts of attack chains.
• Persistent targeting of the hospitality industry: Hotels and travel-related businesses continue to be attractive targets because of the mix of payment processing systems, guest PII, and third-party service integrations—assets that have value to both financially motivated criminals and fraudsters selling stolen data.

These trends mean defenders should assume adversaries will continue to combine traditional social engineering with newer automation capabilities, increasing both volume and sophistication of phishing campaigns.

Risks, implications, and actionable recommendations

Risk implications for organizations in the hospitality sector and beyond include credential theft, fraudulent payments, guest privacy violations, and potential downstream fraud if attackers monetize harvested data. The operational use of AI-generated scripts also complicates detection and attribution.

Recommended mitigations and practical controls:

• Email and gateway defenses
  • Implement multi-layered email filtering, including sandboxing of attachments and URL scanning for short-lived domains.
  • Apply DMARC, DKIM, and SPF policies to reduce spoofed emails reaching users.
• Endpoint and execution controls
  • Use application control and script execution policies to restrict PowerShell, WScript, and similar runtime hosts. Default-deny where feasible and allowlisting for approved scripts.
  • Disable automatic macro execution in Office documents and block content from the internet when not required.
• Detection and monitoring
  • Deploy EDR with behavioral analytics and configure detections for atypical parent-child process relationships (e.g., email client spawning cmd/powershell).
  • Monitor DNS queries and outbound connections for anomalous patterns and use threat intelligence to flag communications to known RAT infrastructure.
• Identity and access management
  • Enforce multi-factor authentication across administrative accounts and critical services, especially remote access interfaces.
  • Rotate and limit privileged credentials; apply least privilege and network segmentation to reduce lateral movement scope.
• Incident preparedness and response
  • Maintain tested incident response playbooks that include containment of compromised endpoints, credential resets, and forensic collection.
  • Ensure offline backups of critical systems are available and regularly validated for integrity and recoverability.
• User awareness and operational hygiene
  • Train staff on invoice and payment fraud scams, emphasizing verification workflows for requests to change payment details or approve invoices.
  • Maintain an inventory of external-facing systems and third-party services to accelerate response and communications after a compromise.

Conclusion

The TA558 campaign tracked as “RevengeHotels” by Kaspersky illustrates a convergence of enduring attack techniques—invoice-themed phishing and commodity RATs—with a newer variable: the use of AI-generated scripts to produce and obfuscate malicious code at scale. For hospitality organizations and security teams, the priority is to harden email and endpoint defenses, emphasize behavioral detections over signatures, enforce robust identity controls, and exercise incident response plans. These measures reduce the likelihood of successful compromise and limit impact if an intrusion occurs.

Source: thehackernews.com