Screenshot of a phishing email used by RevengeHotels group to deliver VenomRAT malware targeting Windows users.

RevengeHotels (TA558), active since 2015, has upgraded its attacks by using AI-generated loader scripts to deliver VenomRAT malware targeting Windows users. The campaign starts with phishing emails to hotel staff, leading victims to fake document portals that download malicious scripts.

Screenshot of a phishing email used by RevengeHotels group to deliver VenomRAT malware targeting Windows users.Screenshot of a phishing email used by RevengeHotels group to deliver VenomRAT malware targeting Windows users.

These AI-crafted loaders execute PowerShell files in memory, avoiding detection. VenomRAT, an advanced QuasarRAT variant, offers hidden VNC, file theft, privilege escalation, and strong encryption. It resists termination, kills security tools, and maintains persistence via registry scripts.

Screenshot of a phishing email used by RevengeHotels group to deliver VenomRAT malware targeting Windows users.Screenshot of a phishing email used by RevengeHotels group to deliver VenomRAT malware targeting Windows users.

VenomRAT communicates with command servers through encrypted channels and uses ngrok tunnels to bypass firewalls. It spreads via USB drives and erases logs to hide its presence, giving attackers stealthy, persistent control over infected systems.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security