Following reports that the cybercrime group RevengeHotels is leveraging AI-generated code to deliver VenomRAT malware through phishing emails targeting hotel staff, Digital Journal has heard from Mayank Kumar, Founding AI Engineer at DeepTempo.
RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travellers.
VenomRAT is an AI-generated remote access trojan.
Kuman explains the nature of this latest cybersecurity incident: “RevengeHotels’ new campaign isn’t remarkable because it targets hotels, it’s alarming because it explicitly shows how fast AI is industrializing cybercrime.”
The threat actor uses phishing emails disguised as requests for reservation, urging recipients to review the attached documents.
The incorporation of AI into the VenomRAT malware makes RevengeHotels increasingly dangerous. When attackers use AI to write advanced code, the threat landscape shifts from slow, expert-driven campaigns to fast, scalable, and more evasive operations.
AI accelerates exploit discovery and proof-of-concept development, automates the creation of polymorphic malware and obfuscated payloads that evade signature-based defences.
This is a continuation of past activities, Kumar observes: “This group has been stealing hotel guests’ payment data for years. But this latest attack is vastly different and evolved using LLMs to generate polished malicious code, paired with VenomRAT an off-the-shelf remote access trojan.”
In terms of the attack mode, Kumar finds: “The blend of LLMs and VenomRAT created a sophisticated credential theft and data exfiltration operations built with production grade precision. It’s a really similar to the dynamic we saw with WormGPT that lowered the barrier for writing malware, phishing lures, and exploits at scale. Now, even small crews can punch far above their weight. Spanish-language lures from RevengeHotels are already hitting targets across Latin America and Europe, proving how easily AI erases language and cultural friction.”
With the future state, Kumar is concerned: “This is giving way to an even wider shift we’re seeing of state-backed groups using GenAI for malware refinement, disinformation, even deepfake ID phishing. The cost of launching capable cyber operations is collapsing and the hospitality sector is one of the first to feel it.“
In terms of actions to take, Kumar recommends: “Defenders must stop relying on static signatures when behavior-based anomaly detection is available and is already showing strong use cases at the network level. Modeling how systems should behave and flagging deviations is the only way to catch AI-spawned attacks like those of RevengeHotels before they vanish into normal traffic.”
