Windows Users Under Siege From AI Fueled RevengeHotels Using VenomRAT

RevengeHotels (TA558), active since 2015, has intensified its cyberattacks against the hospitality sector by harnessing AI to craft sophisticated phishing campaigns that deploy the VenomRAT remote access Trojan.

Initially, victims receive invoice-themed emails, often in Portuguese or Spanish, containing links to counterfeit document-storage sites.

Upon visiting these sites, a JavaScript loader (e.g., Fat146571.js) is automatically downloaded. Analysis of these loaders reveals AI-generated code well-commented, cleanly structured, and variable-driven, unlike the heavily obfuscated scripts of earlier campaigns.

AI-Generated Loaders and VenomRAT Deployment

The JavaScript loader decodes an embedded buffer and writes a timestamped PowerShell script (e.g., SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1), which executes repeatedly to fetch two Base64-encoded payloads: a secondary loader (venumentrada.txt) and the VenomRAT implant (runpe.txt).

VenomRAT, derived from QuasarRAT, first emerged in 2020 and offers advanced functions including HVNC hidden desktop, reverse proxy, file grabbing, UAC exploitation, and ngrok-based tunneling.

Communications with the command-and-control (C2) server undergo serialization, LZMA compression, and AES-128 encryption with HMAC-SHA256 authentication.

VenomRAT’s anti-kill features begin with the EnableProtection function, which modifies the process’s Discretionary Access Control List (DACL) to block termination.

A dedicated thread then monitors and forcefully terminates security-related processes every 50 milliseconds. Persistence is achieved via a VBScript written to the RunOnce registry key and a self-monitoring loop that relaunches the RAT if stopped.

With administrator privileges, the RAT elevates itself to a critical system process using RtlSetProcessIsCritical, preventing shutdown, and invokes SetThreadExecutionState to inhibit sleep mode.

In addition, VenomRAT disables Windows Defender by terminating MSASCui.exe and altering scheduled tasks and registry entries to deactivate Defender components. Stealth measures include deletion of Zone.

Identifier streams to remove download metadata and clear Windows event logs to erase forensic traces. The RAT also propagates via USB drives by copying itself  My Pictures.exe across removable media.

Throughout 2025, RevengeHotels has primarily targeted Brazilian hotels but has expanded into Spanish-speaking markets such as Argentina, Chile, and Mexico. Email themes now range from invoices and booking confirmations to fake job applications.

Organizations are urged to scrutinize unexpected invoice emails, validate URLs before clicking, and deploy endpoint defenses capable of detecting script-based loaders and encrypted RAT traffic.

As RevengeHotels continues to refine its tactics with AI, defenders must brace for ever-more polished social engineering and payload delivery methods.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Windows Users Under Siege From AI Fueled RevengeHotels Using VenomRAT appeared first on Cyber Security News.