During times of global instability, state-sponsored actors tend to ramp up advanced persistent threats for espionage and intelligence agendas.

Since late November 2021, luxury hotels in Macao, China have been targeted by an advanced persistent threat.

Seventeen different hotels in the Macao area had been receiving spear phishing emails directed to management staff. The email contained an Excel sheet attachment and served to trick recipients to enable macros. Once the macros were executed, they created a scheduled task to perform recognition, data listing and data exfiltration.

Then, to enable communication with the command-and-control (C2) server used to exfiltrate victim data, the macros used a known technique—living off the land binaries and scripts—to perform PowerShell command lines as trusted script.

In December 2021, a research team from Zscaler had disclosed information about this advanced persistent threat (APT), attributing it to South Korean-based group DarkHotel. The paper revealed the actual IP address related to the C2 infrastructure used for data exfiltration when victimized machines had been initially compromised.

The threat group is known for using spyware and malware to attack visitors using a hotel’s in-house Wi-Fi network. High-profile executives in financial services, government, development and defense industries are often the target of DarkHotel actors.

This kind of targeted APT espionage activity is occurring on a global scale in the hospitality industry, involving high-value hotel staff or guests before or during important events, according to one cybersecurity firm’s spokesperson. Said John Fokker, Head of Cyber Investigations, Trellix: “There can be an uptick in advanced persistent threats especially during times of turmoil and instability. DarkHotel and similar groups have a lot to gain by targeting high-level individuals as a means of easy access to troves of data and information. They have been diligent in their attacks for the better half of the past decade exploiting victims across industries, sectors and geographies.”