TA558
TA558 is a financially motivated cybercrime threat actor tracked since 2018. It is primarily known for phishing-driven malware delivery campaigns, historically focused on Portuguese- and Spanish-speaking victims in Latin America, especially the travel and hospitality sector, with additional targeting observed in Western Europe and North America. More recent reporting also describes expansion beyond Latin American hospitality into global oil and gas, maritime, industrial, public sector, and electric power targets. TA558 is associated with reservation- and lawsuit-themed spearphishing and malspam campaigns, often using Portuguese, Spanish, and occasionally English lures. Observed delivery methods include URLs leading to JavaScript files that spawn PowerShell, ISO/RAR/ZIP container files with executables, BAT-to-PowerShell chains, malicious Excel/RTF/ZIP attachments, and image or text attachments containing steganographically embedded VBS, PowerShell, or RTF payloads. The group has also exploited Microsoft Office techniques including CVE-2017-11882, template injection, and other Office-based delivery methods. Its malware arsenal includes VenomRAT, Remcos RAT, XWorm, njRAT, PDQ Connect, AsyncRAT, Loda, Revenge RAT, Agent Tesla, LokiBot, FormBook, GuLoader, and Snake Keylogger. Proofpoint identified TA558 as the most prominent distributor of VenomRAT in its data, accounting for 58% of observed VenomRAT email campaign activity since 2022, and reported that TA558 shifted toward other malware such as Remcos RAT and XWorm by late 2025. TA558 has been linked to the SteganoAmor campaign, which uses steganography and legitimate or compromised infrastructure to evade detection. Reported infrastructure and tradecraft include use of compromised FTP/SMTP servers for command-and-control and data exfiltration, free image-uploading and text-sharing sites for payload retrieval, and living-off-the-land style abuse of legitimate services and tools. One source also notes Kaspersky tracks this activity cluster as RevengeHotels. Known alias in the provided content: RevengeHotels.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Consumer Services
Tradecraft
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
9 malware families attributed to this actor across reporting.
4 additional families tracked in Mallory.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Phishing-led intrusions delivering RATs (e.g., Venom RAT) targeting hotels in Brazil and Spanish-speaking markets; uses AI-generated scripts.
TA558 is known for distributing VenomRAT, primarily targeting Portuguese and Spanish speakers, typically located in Latin America. They have shifted to other malware as of September 2025.
TA558 is known for distributing VenomRAT, primarily targeting Portuguese and Spanish speakers, typically located in Latin America. They have shifted to other malware as of September 2025.
Distributes VenomRAT heavily in email campaigns, primarily targeting Portuguese- and Spanish-speaking victims in Latin America, with additional targeting in Western Europe and North America. The actor also distributes other commodity malware.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.