A new RevengeHotels campaign targets Latin America

SUMMARY :

RevengeHotels, a threat group active since 2015, has launched a new campaign targeting the hospitality sector in Latin America. The group has evolved its tactics, now utilizing AI-generated code and the advanced VenomRAT malware. Their primary attack vector remains phishing emails with invoice themes, but they've expanded to include fake job applications. The campaign primarily targets Brazilian hotels, with some attacks directed at Spanish-speaking markets. VenomRAT, an evolution of QuasarRAT, offers enhanced capabilities including anti-kill protection, USB spreading, and advanced stealth techniques. The threat actors are leveraging AI to generate more sophisticated phishing lures and malicious code, indicating a significant advancement in their operational capabilities.

OPENCTI LABELS :

phishing,latin america,xworm,venomrat,njrat,quasarrat,revengerat,stealth techniques,hospitality,nanocorerat,ai-generated code,procc,888 rat,usb spreading,desckvbrat


AI COMMENTARY :

1. Unveiling the New RevengeHotels Campaign A new RevengeHotels campaign has emerged targeting Latin America’s hospitality sector. Active since 2015, this threat actor group has historically deployed a range of remote access trojans including njRAT, xWorm, 888 Rat and NanoCoreRAT. In the latest wave, Brazilian hotels bear the brunt of the attacks, though Spanish-speaking markets have also been probed. The group’s evolving moniker may hint at RevengeRAT roots, but today its ambitions have outgrown those earlier tools.

2. Evolution of Tactics Driven by AI-Generated Code Gone are the days when simple phishing lures sufficed. RevengeHotels now leverages AI-generated code to craft highly personalized email templates. These messages often masquerade as overdue invoices or enticing job applications. By employing automated natural language generation, the threat actors can dynamically evade traditional filters and social engineering countermeasures. Even legacy malware such as Desckvbrat and ProCC finds new life when embedded within these adaptive delivery mechanisms.

3. VenomRAT: The Advanced Weapon in the Arsenal VenomRAT, an advanced offspring of QuasarRAT, lies at the heart of this campaign. Offering anti-kill protection, stealth techniques and silent USB spreading, VenomRAT surpasses its predecessors. Once executed, it establishes a resilient foothold, harvesting credentials and system information while evading sandbox analysis. In contrast to QuasarRAT’s open-source heritage, VenomRAT integrates proprietary obfuscation routines that frustrate reverse engineering and detection by conventional antivirus solutions.

4. Phishing and Social Engineering in Invoices and Job Applications Central to the attack vector remains the phishing email. The group dispatches messages adorned with professionally formatted invoices or seemingly legitimate job descriptions. Recipients who engage enable the download of malicious payloads. Beyond invoices, fraudulent recruitment pitches leverage the promise of lucrative positions in hospitality to coax victims into launching embedded scripts. This dual-pronged approach maximizes success across diverse victim profiles.

5. Impact on Hospitality in Latin America and Beyond The campaign has inflicted substantial operational and financial damage across hotels and resorts. Stolen guest data, credential harvesting and potential ransomware deployment loom as persistent threats. Brazilian enterprises have reported service disruptions and data leakage, while neighboring Spanish-speaking jurisdictions watch anxiously as similar campaigns surface. The adoption of VenomRAT underscores a growing trend: threat actors consolidating AI-driven code generation with next-generation RAT capabilities.

6. Lessons Learned and Forward-Looking Defense Strategies Organizations must prioritize multi-layered defenses that combine robust email filtering, employee awareness training and advanced endpoint detection and response. Implementing strict USB usage policies, deploying heuristic analysis engines to detect stealth techniques, and staying abreast of AI-enabled threat trends are essential steps. By integrating threat intelligence on VenomRAT, RevengeHotels and related trojans such as njRAT, xWorm, 888 Rat and NanoCoreRAT, defenders can anticipate evolving tactics and fortify the hospitality vertical against the next campaign wave.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


A new RevengeHotels campaign targets Latin America