{ "id": "d168d384-6922-471b-a312-21505a46d40c", "created_at": "2026-04-06T00:09:07.108264Z", "updated_at": "2026-04-10T13:12:02.78122Z", "deleted_at": null, "sha1_hash": "0c47d7c1f75577fe806ef3dc58edcb0d9732fb0e", "title": "Darkhotel: a spy campaign in luxury Asian hotels", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 379591, "plain_text": "Darkhotel: a spy campaign in luxury Asian hotels\r\nBy Alex Drozhzhin\r\nPublished: 2014-11-10 · Archived: 2026-04-05 16:29:36 UTC\r\nCyberespionage is the weapon of choice in the 21st century. Even a seemingly harmless mobile app is able to find\r\nout quite a few secrets that a careless user might reveal, let alone full-scale surveillance campaigns specifically\r\ntargeted at representatives of major businesses and government organizations.\r\nThis autumn’s newest revelation is Kaspersky Lab’s discovery of a spy network, dubbed ‘Darkhotel’, which had\r\nbeen active for seven years in a number of Asian hotels. Furthermore, smart and professional spies involved in this\r\nlong-running operation created a comprehensive toolkit consisting of various methods that can be used to break\r\ninto victims’ computers.\r\nThe FBI first mentioned the attacks on guests that were staying in the hotels in question in 2012. However, the\r\nmalware used over the course of Darkhotel’s activity (a.k.a. Tapaoux) have been popping up here and there as\r\nearly as 2007. Having studied the logs of C\u0026C servers used to manage the campaign, security researchers\r\ndiscovered connections dating back to January 1, 2009. With all of the above in mind, the campaign appears to\r\nhave been active for quite awhile.\r\nThe #Darkhotel campaign appears to have been active for seven years.\r\nTweet\r\nThe main method of infiltration into the victim’s PC was through Wi-Fi networks in a number of luxury Asian\r\nhotels. Cybercriminals used zero-day exploits in Adobe Flash and other popular products by renowned vendors.\r\nSuch vulnerabilities are not easy to find, which proves the fact that either rich sponsors, who can afford to\r\npurchase quite an expensive cyber weapon, were behind the operation, or the high level of professionalism of the\r\nagents that were involved in the campaign. Likely both.\r\nhttps://blog.kaspersky.com/darkhotel-apt/6613/\r\nPage 1 of 4\n\nhttps://blog.kaspersky.com/darkhotel-apt/6613/\r\nPage 2 of 4\n\nThe aforementioned method of dropping spyware was the most frequently used, yet not the only, way for the\r\ncriminals to handle the operation, which suggests that they were employed by hotels. The alternative involves a\r\nTrojan, distributed through torrent clients, as part of a compromised archive of adult-rated comics in Chinese.\r\nAlso the cyberspies used targeted phishing, sending compromised emails to employees of state and non-profit\r\norganizations.\r\nCriminals used a sophisticated keylogger. The spyware employed an integrated module to snatch passwords saved\r\nin popular browsers.\r\nMany facts, besides the use of zero-day vulnerabilities, prove the high level of awareness of the cybercriminals.\r\nThey went as far as to succeed in forging digital security certificates they used for their malware. To spy on\r\ncommunication channels used by their victims, criminals used a sophisticated keylogger. The spyware employed\r\nan integrated module to snatch passwords saved in popular browsers.\r\nStrangely, the culprits were extremely cautious and designed a number of measures to prevent the detection of the\r\nmalware. Firstly, they ensured the virus had a very long ‘incubation period’: the first time the Trojan connected to\r\nthe C\u0026C servers was 180 days after it had infiltrated the systems. Secondly, the spyware program had a self-destruction protocol if the language of the system changed to Korean.\r\nThe criminals were mainly operating in Japan, as well as in neighboring Taiwan and China. However, Kaspersky\r\nLab managed to detect attacks in other countries, including those very far from the territories, which were an\r\ninterest for the culprits.\r\nCommenting on Darkhotel, Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, said: “For the past\r\nfew years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile\r\nhttps://blog.kaspersky.com/darkhotel-apt/6613/\r\nPage 3 of 4\n\nindividuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat\r\nactor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources\r\nthat are sufficient to abuse trusted commercial networks and target specific victim categories with strategic\r\nprecision.”\r\nAt last we can say that Kaspersky Lab’s products detect and neutralize the malicious programs and their variants\r\nused by the Darkhotel toolkit. You can read the full story of Darkhotel APT at Securelist.com\r\nSource: https://blog.kaspersky.com/darkhotel-apt/6613/\r\nhttps://blog.kaspersky.com/darkhotel-apt/6613/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.kaspersky.com/darkhotel-apt/6613/" ], "report_names": [ "6613" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c47d7c1f75577fe806ef3dc58edcb0d9732fb0e.pdf", "text": "https://archive.orkl.eu/0c47d7c1f75577fe806ef3dc58edcb0d9732fb0e.txt", "img": "https://archive.orkl.eu/0c47d7c1f75577fe806ef3dc58edcb0d9732fb0e.jpg" } }