{
	"id": "a4850c07-6585-4aeb-bcdf-3d9b9b593365",
	"created_at": "2026-04-06T00:15:36.332797Z",
	"updated_at": "2026-04-10T03:26:31.624612Z",
	"deleted_at": null,
	"sha1_hash": "d4415ac2e352337bff622b04aefaf6aa5ea7a1b7",
	"title": "RevengeHotels: cybercrime targeting hotel front desks worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 554505,
	"plain_text": "RevengeHotels: cybercrime targeting hotel front desks worldwide\r\nBy GReAT\r\nPublished: 2019-11-28 · Archived: 2026-04-05 12:52:25 UTC\r\nRevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism\r\ncompanies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims\r\nof the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa\r\nRica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit\r\ncard data from guests and travelers stored in hotel systems, as well as credit card data received from popular\r\nonline travel agencies (OTAs) such as Booking.com.\r\nThe main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit\r\nCVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of\r\nRevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s\r\nmachine. The group has been active since 2015, but increased its attacks in 2019.\r\nIn our research, we were also able to track two groups targeting the hospitality sector, using separate but similar\r\ninfrastructure, tools and techniques. PaloAlto has already written about one of them. We named the first group\r\nRevengeHotels, and the second ProCC. These groups use a lot of social engineering in their attacks, asking for a\r\nquote from what appears to be a government entity or private company wanting to make a reservation for a large\r\nnumber of people. Their infrastructure also relies on the use of dynamic DNS services pointing to commercial\r\nhosting and self-hosted servers. They also sell credentials from the affected systems, allowing other\r\ncybercriminals to have remote access to hotel front desks infected by the campaign.\r\nWe monitored the activities of these groups and the new malware they are creating for over a year. With a high\r\ndegree of confidence, we can confirm that at least two distinct groups are focused on attacking this sector; there is\r\nalso a third group, though it is unclear if its focus is solely on this sector or if carries out other types of attacks.\r\nNot the quotation you’re expecting\r\nOne of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register\r\ntypo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of\r\ndetail. They explain why the company has chosen to book that particular hotel. By checking the sender\r\ninformation, it’s possible to determine whether the company actually exists. However, there is a small difference\r\nbetween the domain used to send the email and the real one.\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 1 of 8\n\nAn email sent to a hotel supposedly from an attorney’s office\r\nThis spear-phishing message, written in Portuguese, has a malicious file attached misusing the name of a real\r\nattorney office, while the domain sender of the message was registered one day before, using a typo-squatting\r\ndomain. The group goes further in its social engineering effort: to convince the hotel personnel about the\r\nlegitimacy of their request, a copy of the National Registry of Legal Entities card (CNPJ) is attached to the\r\nquotation.\r\nThe attached file, Reserva Advogados Associados.docx (Attorneys Associates Reservation.docx), is a malicious\r\nWord file that drops a remote OLE object via template injection to execute macro code. The macro code inside the\r\nremote OLE document contains PowerShell commands that download and execute the final payload.\r\nPowerShell commands executed by the embedded macro\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 2 of 8\n\nIn the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator.\r\nAfter unpacking them, the code is recognizable as the commercial RAT RevengeRAT. An additional module\r\nwritten by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is\r\nbrowsing the web page. In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns\r\nwere divided into two modules: a backdoor and a module to capture screenshots. Recently we noticed that these\r\nmodules had been merged into a single backdoor module able to collect data from clipboard and capture\r\nscreenshots.\r\nIn this example, the webpage that the attacker is monitoring is booking.com (more specifically, the page\r\ncontaining the card details). The code is specifically looking for data in Portuguese and English, allowing the\r\nattackers to steal credit card data from web pages written in these languages.\r\nTitle searched by the malware in order to capture the screen contents\r\nIn the ProCC campaigns, the downloaded files are Delphi binaries. The backdoor installed in the machine is more\r\ncustomized than that used by RevengeHotels: it’s developed from scratch and is able to collect data from the\r\nclipboard and printer spooler, and capture screenshots. Because the personnel in charge of confirming\r\nreservations usually need to pull credit card data from OTA websites, it’s possible to collect card numbers by\r\nmonitoring the clipboard and the documents sent to the printer.\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 3 of 8\n\nScreenshot is captured when the user copies something to the clipboard or makes a print request\r\nA bad guy’s concierge\r\nAccording to the relevant underground forums and messaging groups, these criminals also infect front desk\r\nmachines in order to capture credentials from the hotel administration software; they can then steal credit card\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 4 of 8\n\ndetails from it too. Some criminals also sell remote access to these systems, acting as a concierge for other\r\ncybercriminals by giving them permanent access to steal new data by themselves.\r\nAccess to hotel booking systems containing credit card details is sold by criminals as a service\r\nSome Brazilian criminals tout credit card data extracted from a hotel’s system as high quality and reliable because\r\nit was extracted from a trusted source, i.e., a hotel administration system.\r\nMessage sent to an underground channel selling data extracted from hotel systems\r\nGuests and victims\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 5 of 8\n\nThe majority of the victims are associated with the hospitality sector. Based on the routines used, we estimate that\r\nthis attack has a global reach. However, based on our telemetry data, we can only confirm victims in the following\r\ncountries:\r\nVictims confirmed in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain,\r\nThailand and Turkey\r\nBased on data extracted from Bit.ly statistics, we can see that potential victims from many other countries have at\r\nleast accessed the malicious link. This data suggests that the number of countries with potential victims is higher\r\nthan our telemetry has registered.\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 6 of 8\n\nVictims per country based on data from a malicious Bit.ly link from the RevengeHotels campaign\r\nA safe stay\r\nRevengeHotels is a campaign that has been active since at least 2015, revealing different groups using traditional\r\nRAT malware to infect businesses in the hospitality sector. While there is a marked interest in Brazilian victims,\r\nour telemetry shows that their reach has extended to other countries in Latin America and beyond.\r\nThe use of spear-phishing emails, malicious documents and RAT malware is yielding significant results for at least\r\ntwo groups we have identified in this campaign. Other threat actors may also be part of this wave of attacks,\r\nthough there is no confirmation at the current time.\r\nIf you want to be a savvy and safe traveler, it’s highly recommended to use a virtual payment card for reservations\r\nmade via OTAs, as these cards normally expire after one charge. While paying for your reservation or checking\r\nout at a hotel, it’s a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use\r\na secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms\r\nare…\r\nAll Kaspersky products detect this threat as:\r\nHEUR:Backdoor.MSIL.Revenge.gen\r\nHEUR:Trojan-Downloader.MSIL.RevengeHotels.gen\r\nHEUR:Trojan.MSIL.RevengeHotels.gen\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 7 of 8\n\nHEUR:Trojan.Win32.RevengeHotels.gen\r\nHEUR:Trojan.Script.RevengeHotels.gen\r\nIndicators of compromise (IoCs)\r\nReference hashes:\r\n74440d5d0e6ae9b9a03d06dd61718f66\r\ne675bdf6557350a02f15c14f386fcc47\r\ndf632e25c32e8f8ad75ed3c50dd1cd47\r\na089efd7dd9180f9b726594bb6cf81ae\r\n81701c891a1766c51c74bcfaf285854b\r\nFor a full list of IoCs as well as the YARA rules and intelligence report for this campaign, please visit the\r\nKaspersky Threat Intelligence Portal: https://tip.kaspersky.com/\r\nSource: https://securelist.com/revengehotels/95229/\r\nhttps://securelist.com/revengehotels/95229/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/revengehotels/95229/"
	],
	"report_names": [
		"95229"
	],
	"threat_actors": [
		{
			"id": "bfae615f-cb9c-479c-b97d-ba282c322db3",
			"created_at": "2022-10-25T16:07:24.123308Z",
			"updated_at": "2026-04-10T02:00:04.874176Z",
			"deleted_at": null,
			"main_name": "RevengeHotels",
			"aliases": [],
			"source_name": "ETDA:RevengeHotels",
			"tools": [
				"888 RAT",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "31a4f4ad-1aa7-48c2-8b16-58d48879644c",
			"created_at": "2024-02-06T02:00:04.13577Z",
			"updated_at": "2026-04-10T02:00:03.576453Z",
			"deleted_at": null,
			"main_name": "RevengeHotels",
			"aliases": [],
			"source_name": "MISPGALAXY:RevengeHotels",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b3bf17ff-3cbf-457c-8770-b038ed609993",
			"created_at": "2024-02-22T02:00:03.766129Z",
			"updated_at": "2026-04-10T02:00:03.589884Z",
			"deleted_at": null,
			"main_name": "ProCC",
			"aliases": [],
			"source_name": "MISPGALAXY:ProCC",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775791591,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4415ac2e352337bff622b04aefaf6aa5ea7a1b7.pdf",
		"text": "https://archive.orkl.eu/d4415ac2e352337bff622b04aefaf6aa5ea7a1b7.txt",
		"img": "https://archive.orkl.eu/d4415ac2e352337bff622b04aefaf6aa5ea7a1b7.jpg"
	}
}