TA558

TA558 is a financially motivated cybercrime threat actor first observed in 2018. It is also tracked as RevengeHotels. The group initially targeted travel, hospitality, and tourism organizations in Latin America, using socially engineered reservation-themed phishing emails, often in Portuguese or Spanish and frequently using "reserva" lures. Reporting also describes TA558 as highly active in Colombia. Over time, the group expanded beyond hospitality to target global oil and gas, maritime, industrial, public sector, and electric power organizations, including critical infrastructure in countries such as Brazil, Mexico, Iran, Russia, and Turkey. TA558 is known for phishing-driven delivery of commodity malware and RATs including Agent Tesla, Remcos RAT, LokiBot, FormBook, GuLoader, Snake Keylogger, XWorm, VenomRAT, AsyncRAT, Loda, and Revenge RAT. Its campaigns have used malicious Excel, RTF, ZIP, ISO, and RAR container files, as well as image or text attachments containing steganographically embedded VBS, PowerShell, or RTF payloads. The group’s "SteganoAmor" campaign used steganography to embed malicious payloads in images and text files. TA558 has also exploited Microsoft Office techniques including CVE-2017-11882 and template injection, and later shifted toward URL-based delivery of ISO and RAR payloads, likely in response to Microsoft disabling Office macros by default. Observed infection chains include phishing emails linking to container files with executables, embedded BAT files, and PowerShell downloaders. TA558 commonly uses obfuscated VBScript and PowerShell, high-entropy files, and living-off-the-land techniques. The group has leveraged legitimate-but-compromised SMTP servers for phishing and compromised FTP/SMTP servers for command-and-control and data exfiltration, as well as legitimate services and infrastructure to evade detection. Reporting also notes use of free image-uploading and text-sharing sites for payload retrieval. TA558’s operations are assessed as primarily financially motivated, with objectives including credential theft, data exfiltration, and enabling fraud or extortion. Multiple vendors have tracked the actor from 2018 through at least May 2024, and one report notes TA558 as a key distributor of VenomRAT targeting Portuguese and Spanish speakers in Latin America before shifting to other malware. The group has been linked in reporting to shared tactics or infrastructure with Aggah and Blind Eagle, including shared use of the Crypters AndTools packing service, but the content does not state these are aliases or sub-groups.