AI-driven RevengeHotels attacks expose guests' card data in Brazil and Malaysia

AI-Powered Cyberattacks Are Hitting Hotels: What Hospitality Teams Need To Do Now

Kaspersky has warned of a fresh wave of attacks on hotels in Brazil and Malaysia, linked to the RevengeHotels group. Active since 2015, the group reportedly upgraded its playbook between June and August 2025 by using AI to craft more convincing lures and more capable malware.

Brazil remains the primary target, with additional activity reported in Argentina, Bolivia, Chile, Costa Rica, and Mexico. A previous campaign also hit Malaysia, Russia, Belarus, Turkey, Italy, and Egypt.

The goal: steal guests' credit card data and other sensitive information from hotel systems and staff inboxes.

How the attack works

Attackers email hotel staff using believable subjects like invoices, group bookings, contracts, or job applications. Once opened, these messages deliver malware such as VenomRAT, giving attackers remote control, keylogging, and data exfiltration capabilities.

As Kaspersky's GReAT team notes, criminals are using AI to write cleaner emails, spoof brands, and bypass basic filters. That makes old-school phishing harder to spot-even in trusted properties.

Who's most exposed

• Front desk, reservations, and sales teams handling attachments and payment updates
• Events teams reviewing contracts, BEOs, and vendor paperwork
• Night audit PCs connected to PMS/POS with broad access
• Shared inboxes (info@, sales@, events@) without strong filtering
• Unmanaged channels like WhatsApp or personal email used for "urgent" requests

Priority actions for hotels and venues (do these today)

• Lock email entry points: Block risky attachment types (.exe, .js, .ps1, .zip inside .zip). Quarantine unknown senders. Enforce SPF, DKIM, and DMARC on your domain.
• Quarantine "invoice" and "job application" lures: Auto-flag messages with these themes unless sender is on an allowlist.
• Turn on MFA everywhere: PMS, POS back office, OTA extranet, channel manager, email, remote access, file shares.
• Restrict Windows scripting: Disable macros by default. Block PowerShell for non-IT users. Remove local admin rights at front desk and sales terminals.
• Segment your network: Put PMS/POS on separate VLANs. Limit which PCs can reach them. No guest Wi-Fi to back office ever.
• Harden payments: Use tokenization and point-to-point encryption from your PSP. Prefer secure payment links with 3-D Secure over taking cards by email or phone.
• Lock down remote access: Disable exposed RDP. Use a VPN with MFA and IP allowlisting. Review vendor access regularly.
• Install EDR/antivirus on every staff PC: Turn on automatic updates. Patch OS, browsers, PMS integrations, and booking engine plugins monthly at minimum.
• Tighten PMS permissions: Unique logins per user, least privilege, auto-logout after 10 minutes idle. Alert on logins outside business hours.
• Dual control for refunds and card changes: Require two approvals for high-value refunds or card updates on reservations.
• Train with real samples: Run short phishing drills using invoice/job-app themes. Reward reporting, not perfection.
• Backups you can restore fast: Daily, off-network, tested quarterly. Keep a clean image for front-desk and night-audit machines.

Guest-facing safeguards

• Set clear rules in confirmations: "We will never ask for full card details over email, chat, or WhatsApp." Link guests to secure payment portals only.
• Switch to secure payment links for deposits: Avoid card forms in PDFs. Use PSP-hosted pages with 3-D Secure.
• Use virtual cards from OTAs: Keep staff from seeing or reusing PANs. Limit who can view masked data.
• Audit all templates: Update confirmation, proforma, and contract templates to remove any request for card details by email.

If you suspect a breach

• Isolate first: Disconnect the affected PC from the network. Do not power it off.
• Call your PSP/acquirer and IT partner: Start chargeback monitoring and fraud watch. Preserve logs for forensics.
• Rotate credentials and keys: Email, PMS, channel manager, booking engine, remote-access, and API keys.
• Check PMS audit logs: Unusual refunds, card view events, after-hours access, new admin accounts.
• Notify as required: Follow legal obligations (e.g., LGPD in Brazil, PDPA in Malaysia). Prepare guest communications with clear next steps.
• Reimage affected machines: Restore from a known-good image after investigation.

Why this matters now

RevengeHotels has broadened its footprint and upgraded its phishing with AI, making malicious emails look routine. Brazil is still the main focus, but incidents connect across Latin America and tie back to previous activity impacting Malaysia and other regions.

The weak link is still the inbox. One click on a fake invoice can hand over your PMS session, saved cards, and guest data.

Policies and controls that reduce risk long term

• PCI DSS alignment: Map card flows from booking to checkout. Remove card data you don't need. Log and monitor every card access event.
• Vendor hygiene: Review contracts and security posture for your channel manager, booking engine, PMS, and digital key provider. Remove stale access.
• Standardized devices: Front desk and events PCs should be locked down builds, auto-patched, with USB storage disabled.
• Quarterly phishing drills: Rotate themes: invoice, RFP, staffing, urgent wire, group booking change.
• Change management: Any new integration or macro is reviewed, tested, and approved before rollout.

Helpful references

• Kaspersky Securelist for threat research and indicators
• PCI Security Standards Council for payment data requirements

Level up staff readiness

Your frontline decides your risk. Short, frequent training beats annual slide decks. Focus on how to spot and report suspicious emails, and how to use secure payment links.

If you want structured, bite-sized AI literacy for teams who work in email all day, explore Complete AI Training - latest AI courses.

Bottom line: Assume your inbox is hostile. Tighten email defenses, lock down payments, and practice your response. That's how you protect guests and keep operations steady.