Threat Advisories:
From Bookings to Breaches: RevengeHotels Latest Attacks on Hospitality BlackNevas Ransomware: A Rising Global Cyber Threat Yurei Ransomware Haunts the Digital World Like a Restless Spirit Click, Paste, Compromise: Inside the New FileFix Campaign Hive0154 Evolves with SnakeDisk and EnhancedToneshell Backdoor HybridPetya: A Bootkit-Enabled Ransomware Threat EvilAI Malware Exploits the Trust in Artificial Intelligence kkRAT Malware Campaign Targeting Chinese-Speaking Users ZynorRAT: Go-Based Malware Taking Shape on Telegram Microsoft September 2025 Patch Tuesday Roundup The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes Cephalus Ransomware a Wake-Up Call for Stronger Endpoint Defense Sitecore Zero-Day Powers Reconnaissance Malware TP-Link Router End-of-Service Models Exploited in Botnet Operation GhostRedirector Targets Windows Servers Globally for SEO Fraud CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

From Bookings to Breaches: RevengeHotels Latest Attacks on Hospitality

Amber | Attack Report
Download PDF

RevengeHotels (TA558): VenomRAT Campaign Targets Hospitality Industry

Summary

The RevengeHotels threat group (TA558) has escalated its cybercrime operations, turning hotel front desks into entry points for attacks. The group lures hotel staff with fake invoices and job applications, which deliver VenomRAT malware. Once inside, the attackers gain remote access, steal guest payment card data, disable security tools, and maintain persistence.

This latest campaign leverages AI-generated code, making infections faster, stealthier, and harder to detect. With Brazil as the epicenter and an expansion into Spanish-speaking markets, this campaign underscores a growing threat to global hospitality operations, targeting Windows-based reservation systems and point-of-sale networks.

Attack Details

  • Threat Actor Profile: RevengeHotels (aka TA558) active since 2015, focused on credit card theft from hotels and travelers.

  • Infection Chain:

    • Initial Access: Phishing emails localized in Portuguese or Spanish, often impersonating invoice senders or job applicants.

    • Payload Delivery: Emails link to attacker-controlled websites that frequently change to bypass blocklists.

    • Execution: Sites drop Fat{NUMBER}.js WScript loaders which decode obfuscated payloads and execute timestamped PowerShell scripts.

    • Secondary Stage: PowerShell fetches Base64-encoded files and loads VenomRAT in memory.

  • VenomRAT Capabilities:

    • Hidden VNC sessions for remote control

    • File theft and exfiltration

    • Reverse-proxy tunneling and UAC bypass

    • AES-encrypted configuration storage

    • Process monitoring and security tool termination

  • Persistence: Registry keys, VBS scripts, and continuous process monitoring keep the RAT resident after reboot.

  • Defense Evasion: Disables Windows Defender, modifies scheduled tasks, and uses tunneling tools like ngrok to create external access points.

Recommendations

  • Staff Awareness: Train hotel employees to identify phishing attempts disguised as invoices, bookings, or job applications.

  • Email Security: Use advanced spam filters, sandboxing, and threat intelligence feeds to block malicious emails.

  • Script Control: Restrict use of WScript, PowerShell, and VBS on front-desk systems unless required.

  • Backup & Recovery: Maintain offline backups of reservation and payment databases to ensure business continuity.

  • Threat Monitoring: Monitor for unknown PowerShell activity, ngrok tunnels, and suspicious processes.

  • Endpoint Security: Deploy NGAV and EDR solutions with behavioral detection to catch VenomRAT activity early.

Indicators of Compromise (IoCs)

MD5 Hashes

  • fbadfff7b61d820e3632a2f464079e8c

  • d5f241dee73cffe51897c15f36b713cc

  • 1077ea936033ee9e9bf444dafb55867c

  • b1a5dc66f40a38d807ec8350ae89d1e4

  • dbf5afa377e3e761622e5f21af1f09e6

  • 607f64b56bb3b94ee0009471f1fe9a3c

  • 3ac65326f598ee9930031c17ce158d3d

  • 91454a68ca3a6ce7cb30c9264a88c0dc

SHA256 Hashes

  • 0109B0D2C690FED142DAD85CED4F1E277464ACC49DF4BEF3C5F5ED58F3925AED

  • F308A8CC0790F07F343D82AE0D9DA95248FB1BA4D4E01F30D0A8A43B9E6D3CA0

  • 156943B1DF6141AB7C2910B7CD5B8BCB2FFE839AA6C99D663ABF12588F11615B

  • D6CC784BE51F8B784BD9AFD2485F3766D89CA5AE004AE9F2C4DAE7E958DBE722

  • F10CC01B4988138A55FA7ED05ECA435DB636D820BD98BE7AC788E2480ED6165A

  • 89C73024FC9D700209ECADDF3628B59224D27750E188DCE0015313DA77346925

  • A5D1E69076FD9F52D8A804202A21852FE2B76FB4534F48455DEF652E84CCEAAB

  • 706AAFE4ED32AA4B13E65629C2496D9B1E2E9D1753AA0F92833586ACD1AA591E

MITRE ATT&CK TTPs

  • Initial Access: T1566 (Phishing), T1189 (Drive-by Compromise)

  • Execution: T1059 (Command and Scripting Interpreter), T1059.007 (JavaScript), T1059.001 (PowerShell), T1059.005 (Visual Basic)

  • Persistence: T1547 (Boot or Logon Autostart Execution), T1547.001 (Registry Run Keys/Startup Folder), T1053 (Scheduled Task/Job)

  • Privilege Escalation: T1548 (Abuse Elevation Control Mechanism), T1548.002 (UAC Bypass)

  • Defense Evasion: T1112 (Modify Registry), T1027 (Obfuscated Files/Information)

  • Discovery: T1057 (Process Discovery)

  • Lateral Movement: T1021 (Remote Services), T1021.001 (Remote Desktop Protocol)

  • Command & Control: T1071 (Application Layer Protocol)

  • Exfiltration: T1041 (Exfiltration Over C2 Channel)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cybersecurity Leaders Dinner In Houston

Learn how to reduce your exposure to imminent risk & Network with Industry Peers

Hosted by former CISO, Al Lindseth and Threat Exposure Evangelist, Critt Golden.

Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del Friscos Double Eagle Steakhouse, Houston TX
Click here to Register!