The threat group TA558, also tracked as RevengeHotels, is using AI-generated scripts in a new campaign targeting hotels in Brazil and Spanish-speaking regions. The attacks employ phishing emails with invoice or reservation themes to deliver Venom RAT, a remote access trojan. Kaspersky researchers note that a significant portion of the initial infection code appears to be produced by large language models, marked by heavily commented and structured scripts.
This campaign continues the group’s long-standing focus on the hospitality sector, aiming to steal guest credit card data from hotel systems and online travel agencies. The infection chain begins with a malicious JavaScript downloader, likely LLM-generated, which retrieves a PowerShell script and ultimately deploys Venom RAT. Based on Quasar RAT, this commercial malware features anti-analysis mechanisms, including the termination of security tools and persistence via registry modifications.
Venom RAT also disables Microsoft Defender, spreads via USB drives, and prevents sleep mode to maintain access. The use of AI reflects a growing trend among threat actors to enhance and scale their operations. These developments underscore the increasing sophistication of attacks against critical industries and the need for heightened defensive measures.
Read more...