RevengeHotels Attacks Hotel Information Systems Using AI

Experts from Kaspersky Lab have uncovered a new campaign by the cybercriminal group RevengeHotels, notable for its use of artificial intelligence to generate malware samples.

Background on RevengeHotels

RevengeHotels (also tracked as TA558) has been active since 2015, specializing in the theft of credit card data from hotel guests and travelers. The group typically sends phishing emails with malicious links that redirect victims to sites disguised as document storage platforms. From there, scripts are downloaded to infect target computers.

The final payloads are usually Remote Access Trojans (RATs), which give attackers full control of compromised systems, enabling them to steal sensitive data, maintain persistence, and expand within hotel infrastructures.

New Campaigns in 2025

In the summer of 2025, Kaspersky researchers observed a new wave of attacks, primarily targeting hotels in Brazil but also spreading to Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain. Previous campaigns had reached Russia, Belarus, Turkey, Malaysia, Italy, and Egypt, showing the group’s broad international scope.

The attackers relied on phishing emails disguised as invoices, booking inquiries, or job applications. These messages delivered VenomRAT through JavaScript and PowerShell loaders.

AI-Generated Code and Evolving Tactics

Analysis revealed that parts of the malicious code used in the initial infection stage may have been generated with large language models (LLMs). Researchers believe RevengeHotels is actively experimenting with AI tools to refine their malware development and scale attacks.

VenomRAT itself is an evolved version of the open-source QuasarRAT, first seen in 2020. Despite its source code being leaked, VenomRAT remains available on darknet markets for as much as $650 for a lifetime license.

Expert Warning

“Although RevengeHotels’ modus operandi remains recognizable, the attackers are refining their methods. In particular, a significant portion of the malicious code was presumably written using large language models (LLMs). This indicates the active use of AI technologies to enhance the effectiveness of cyberattacks,” said Dmitry Galov, Head of Kaspersky GReAT in Russia. “It is important to understand that banking and other sensitive data can be at risk even on the websites of large and well-known hotels, so it is always necessary to exercise caution.”