A long-running threat group tracked as RevengeHotels has upgraded its tactics with AI-generated code and advanced phishing to target hotel systems and steal guest payment details. The attacks — observed mainly in Brazil but spreading globally — expose weaknesses in hotel IT, third-party integrations, and how AI is shifting the threat landscape.
Between June and August 2025, researchers at Kaspersky’s Global Research and Analysis Team (GReAT) uncovered a series of intrusions by a criminal group nicknamed RevengeHotels. The group uses targeted phishing emails aimed at hotel staff to deliver a remote-access trojan (RAT) called VenomRAT. Once inside, attackers can access payment systems and exfiltrate guests’ card data and other personal information.
- RevengeHotels has been active since about 2015 but recently upgraded tooling and tactics.
- New malicious components show signs of being generated or assisted by AI, making them more effective and evasive.
- Hotels in Brazil were the primary victims so far, but reports indicate the campaign is geographically expanding.
- Phishing lures mimic reservation messages or job applications to trick staff into opening attachments or links.
How the attacks actually work
The attack flow is straightforward but effective:
- Spear-phishing: Emails crafted to look like legitimate communications (reservations, vendor invoices, job apps) are sent to hotel staff.
- Initial compromise: A malicious attachment or link installs VenomRAT or similar payloads on staff workstations.
- Lateral movement: Attackers move from the infected machine to internal systems — including reservation databases and payment processing terminals.
- Data theft: Card numbers, names, emails and other PII are harvested and exfiltrated.
Why hotels are attractive targets
Several factors make hotels high-value targets for cybercriminals:
- Payment volume: Hotels process lots of card transactions across multiple channels (front desk, web, POS, third-party bookings).
- Complex IT ecosystems: Legacy PMS (Property Management Systems), third-party booking platforms, and outsourced vendors create many attack surfaces.
- High turnover: Frequent staff turnover and seasonal hires make consistent security training difficult.
- Guest trust: Stolen guest data can be monetized quickly on underground markets and used for fraud.
AI’s role in the new wave of attacks
What’s new is the use of AI to accelerate and polish the criminal workflow:
- AI-generated code: Malware samples contain code snippets likely written with the help of large language models, speeding development.
- Smarter phishing: AI helps craft highly convincing, context-aware emails that are harder for staff to spot.
- Automation of reconnaissance: AI tools can parse public-facing hotel data to personalize lures and select high-value targets.
Insight: AI is lowering the bar for attackers. Even small syndicates can build professional-quality malware and social-engineering lures — meaning defenders must raise their hygiene and automation levels accordingly.
Real-world impact — what guests and hotels are facing
Kaspersky warns that guests who stayed at compromised properties may have had card details exposed. For hotels, the consequences range from regulatory fines (think PCI DSS, GDPR) to reputational damage and chargeback costs. Attackers may also sell harvested data or use it to mount supply-chain and account-takeover fraud.
Practical steps hotels should take now
Hotels can’t stop AI-assisted attackers with hope alone. These practical defenses reduce risk:
- Segmentation: Separate guest Wi-Fi and public systems from payment and reservation networks.
- Harden endpoints: Deploy EDR/XDR on staff workstations and servers to detect lateral movement early.
- Strict DevSecOps: Ensure third-party integrations and vendor tools follow secure coding and supply-chain practices.
- Tokenization & PCI compliance: Use tokenization so raw card data is never stored on hotel systems.
- Staff training & phishing tests: Regular, role-based security training and simulated phishing exercises reduce click rates.
- Least privilege: Limit administrative access and rotate credentials frequently; use MFA everywhere.
- Incident response planning: Have playbooks for breach notification, forensic containment, and guest communication.
What travelers should do
If you stayed at a hotel recently, consider these precautions:
- Monitor bank and card statements for unusual charges and set transaction alerts.
- Prefer mobile or tokenized payments (Apple Pay, Google Pay) when possible, as tokens limit exposure.
- If notified of a breach, follow instructions from the hotel and your bank — and consider requesting a replacement card.
- Be cautious about unsolicited messages that reference hotel stays; verify via official channels before clicking links.
Wider implications: regulation, liability and AI governance
These incidents spotlight two big trends: first, the regulatory pressure on firms to secure PII and payment data (noncompliance can mean hefty fines); second, the urgency of governing AI use in both offensive and defensive operations. As attackers adopt AI, organizations should invest in AI-driven defenses — but also insist on transparency from vendors about how models are trained and integrated.
Takeaway
RevengeHotels shows how the blend of traditional cybercrime techniques and AI tooling is scaling risk for travel and hospitality. The good news is many mitigations are straightforward — network segmentation, tokenization, hardened endpoints, and staff training can dramatically reduce the attack surface. What’s new is the speed and customization attackers now enjoy thanks to AI, so defenders must respond with better automation, governance and rapid incident playbooks.
Want to stay safe on your next trip? Share this post with your travel group or hotel IT contact — better security starts with awareness.
