TA558, a financially motivated cybercrime group, has resurfaced to intensify its attacks on the hospitality, hotel, and travel sectors. According to Proofpoint's new research, the threat actor has conducted 51 campaigns this year alone.

Prime targets

The cybercrime group, active since 2018, has targeted Portuguese and Spanish speakers located in Latin America, as well as victims in western Europe and North America.

Attack details

The threat actor targets businesses with malicious emails that are typically sent in Portuguese, Spanish, and English and contain unique lures such as reservations and bookings.
  • The attackers send malicious emails with URLs that aim to distribute one of at least 15 different malware payloads with overlapping C2 domains.
  • They use compromised hotel websites to host malware payloads, giving their malware delivery and C2 traffic legitimacy.
  • Malware is typically in the form of RATs that can perform reconnaissance, data theft, and distribute additional payloads.
  • Loda, Vjw0rm, AsyncRAT, and Revenge RAT are the most frequently observed payloads.

TA558 shifting tactics

According to the Proofpoint report, TA558 has increased its activity in comparison to previous years.
  • In 2022, the threat actor changed tactics and began to distribute malware via URLs and container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.
  • The shift to adopt new file types for delivering payloads is most likely the result of Microsoft's announcement in 2021 that macros would be disabled by default in Office products
  • TA558 ran 27 URL-based campaigns in 2022, compared to just five campaigns from 2018 to 2021.


  • The potential impact of TA558 attacks on hotels includes data theft of corporate and customer data, as well as potential financial losses.
  • The malware can steal customer user and credit card information from hotels while also allowing attackers to move laterally on the network and deliver additional payloads.
  • The Marino Boutique Hotel in Lisbon, Portugal, had its Booking.com account hacked in July, resulting in the offender stealing $511,314 from the customers. 


TA558 is an active threat actor capable of incurring huge losses to both the hospitality sector and its customers. Organizations in these industries need to be aware of the TTPs described in the report, and employees should be trained to detect and report phishing attempts.
Cyware Publisher