Cybercrime Group RevengeHotels Uses AI to Target Hotels

Cybercrime group RevengeHotels is exploiting artificial intelligence (AI) to enhance its attacks on the hospitality sector. This group, also known as TA558, has reportedly been using AI-generated code to deliver VenomRAT malware through phishing emails aimed at hotel staff. These developments signal a concerning evolution in cybercrime techniques.

According to Mayank Kumar, Founding AI Engineer at DeepTempo, this latest wave of attacks is particularly alarming. Kumar notes, “RevengeHotels’ new campaign isn’t remarkable because it targets hotels; it’s alarming because it explicitly shows how fast AI is industrializing cybercrime.” The group has been active since 2015, previously known for stealing credit card information from hotel guests and travelers.

The use of AI in the VenomRAT malware makes RevengeHotels increasingly dangerous. With AI, attackers can create advanced code that facilitates quicker, scalable, and stealthier operations. This evolution shifts the threat landscape from slower, expert-driven campaigns to faster, more automated attacks. Kumar explains, “AI accelerates exploit discovery and proof-of-concept development, automating the creation of polymorphic malware that can evade traditional security measures.”

The tactics employed by RevengeHotels have evolved significantly. “This group has been stealing hotel guests’ payment data for years. But this latest attack is vastly different,” Kumar states. He emphasizes that the integration of large language models (LLMs) allows for the generation of more sophisticated malicious code, coupled with the use of off-the-shelf remote access trojans like VenomRAT.

Kumar further elaborates on the operational strategy: “The blend of LLMs and VenomRAT has created a sophisticated credential theft and data exfiltration operation built with production-grade precision. It’s similar to the dynamic we saw with WormGPT that lowered the barrier for writing malware, phishing lures, and exploits at scale.” He points out that the Spanish-language phishing attempts from RevengeHotels are already impacting targets across Latin America and Europe, demonstrating how AI can easily eliminate language and cultural barriers.

Looking ahead, Kumar expresses concern over the broader implications of AI in cybercrime. “This is giving way to an even wider shift we’re seeing of state-backed groups using generative AI for malware refinement, disinformation, and even deepfake identity phishing. The cost of launching capable cyber operations is collapsing, and the hospitality sector is one of the first to feel it.”

To combat these rising threats, Kumar offers recommendations for cybersecurity defenders. He advises against reliance on static signatures, advocating for behavior-based anomaly detection instead. “Modeling how systems should behave and flagging deviations is the only way to catch AI-spawned attacks like those of RevengeHotels before they vanish into normal traffic,” he asserts.

As the capabilities of cybercriminals continue to evolve with advancements in AI, the need for robust, adaptive cybersecurity measures becomes increasingly urgent. The hospitality industry, with its wealth of personal and financial data, must remain vigilant to protect against these sophisticated threats.