Skip to content

Chinese hotels being targeted by suspected DarkHotel APT

  • by
  • 2 min read

There has been a campaign targetting luxury hotels in Macau, China, since November 2021, according to Trellix researchers Thibault Seret and John Fokker. Based on the attack vector and the malware used, the researchers have attributed the attacks to DarkHotel. 

The luxury hotel chains currently compromised include the Grand Coloane Resort and Wynn Palace, among other major hotel chains in Macao. 

DarkHotel is a South Koren advanced persistent threat (APT) group that uses spear-phishing attacks on their victims. The group has been active since at least 2007 in the hospitality, government, automotive and pharmaceutical industries and focuses primarily on surveillance and data theft. 

In the News: When will Ola S1 and S1 Pro scooter delivery begin?

Is DarkHotel back?

The attack began with a spear-phishing email that appeared to come from Macau’s Government Tourism Office to management staff, including front office and HR employees in these hotels. The emails contained an Excel sheet as an attachment requesting recipients to fill out a form as a guest inquiry. The Excel sheet requires macros to be enabled to be read, and it’s these macros download and execute the malware payloads.

Chinese hotels being targeted by suspected DarkHotel APT
The attack’s execution flow. | Source: Trellix

Upon further investigation, the investigators found a malware function that was designed to create a scheduled task for persistence and launch VBS and PowerShell scripts to connect to a command and control server, which was disguised as a service owned by the Federated States of Micronesia. 

The IP address and the C2 infrastructure are similar to what DarkHotel has previously used in a campaign documented by ZScaler last year. However, while Trellix researchers have attributed the attacks to DarkHotel with moderate confidence, they also acknowledge that the current information isn’t enough for full attribution, especially when other groups can use the same approach and raise false alarms to throw off investigations.

In the News: Brazil lifts Telegram ban after two days

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: