While their activity had slowed in recent years, new findings show the group has returned with more advanced tactics that allow them to bypass traditional defenses and target hotels in multiple countries.
How the attacks work
Between June and August 2025, Kaspersky’s Global Research and Analysis Team observed a string of intrusions tied to RevengeHotels. The playbook remains familiar: phishing emails disguised as booking requests or job applications arrive in hotel inboxes. When a staff member clicks, the malware VenomRAT is deployed, handing attackers remote access to hotel systems.
Once inside, the group can harvest sensitive guest information, including payment card data. What’s different now is the use of AI-generated code. Instead of static malware that’s easier to detect, the criminals can quickly spin up new variants that evade signature-based security tools.
From Brazil to global hotspots
Historically, RevengeHotels has focused on Brazilian hotels. But this new wave has already spread — with confirmed incidents in Italy and growing concerns about tourism-heavy regions in Africa, including South Africa, Kenya, and Nigeria. With hotels everywhere relying on digital systems to manage reservations and payments, no destination can assume it’s safe.
“Cybercriminals are increasingly using AI to create new tools and make their attacks more effective. This means that even familiar schemes, like phishing emails, are becoming harder to spot,” explained Lisandro Ubiedo of Kaspersky’s GReAT team. For travelers, the risk is clear: even established, reputable hotels could be compromised.
How hotels and travelers can protect themselves
Kaspersky’s researchers recommend a dual-layered approach — businesses must harden defenses, while travelers should stay alert:
- For hotels: Train staff to spot suspicious messages, strengthen spam filters, and deploy endpoint detection tools that can flag infections early.
- For travelers: Keep a close eye on card activity during and after trips, and consider using virtual cards or digital wallets to limit exposure of primary card details.
The bottom line
The return of RevengeHotels shows how quickly criminals can adopt AI to breathe new life into old tricks. For the hospitality sector, it’s a wake-up call to modernize security practices. For guests, it’s a reminder that cybercrime doesn’t take vacations. The next phishing attack could be waiting in what looks like a routine booking email.
