Hotels in Macau targeted by attacks linked to South Korea’s DarkHotel APT


According to Trellix, an XDR company formed after the merger of McAfee Enterprise and FireEye earlier this year, South Korea-linked state-sponsored threat actor DarkHotel is said to have carried out a series of attacks on major hotel chains in Macau.

The Advanced Persistent Threat (APT) actor has been active for more than a decade but was first described in 2014 and has targeted businesses in numerous countries for espionage purposes, including hacking hotels’ Wi-Fi networks to protect devices of infecting the target persons.

DarkHotel is known for targeting victims across multiple sectors including automotive, law enforcement, and pharmaceuticals.

As of late November 2021, Trellix observed spear phishing attacks targeting hotel management employees in roles such as Assistant Manager, Front Office Manager, and Vice President of HR, likely due to their privileged access to hotel systems.

The attackers attached Excel spreadsheets to the emails and tried to trick victims into opening the documents and enabling macros. The files were riddled with malicious macros designed for reconnaissance, data gathering and exfiltration.

Although part of DarkHotel’s infrastructure was uncovered in a December 2021 report, the group appears to have continued to use it to drop new payloads into victims’ surroundings, the researchers say.

[ READ: Purple Fox Exploit Kit Targets Vulnerabilities Linked to DarkHotel Group ]

On December 7, 2021, seventeen hotels in Macau received the same phishing email claiming to be from the “Macau Government Tourism Office” and containing a malicious Excel attachment called “Instructions”.

In another phishing email, the attackers asked the hotel staff to complete the Excel file with information about the people staying at the hotel.

The Command and Control (C&C) domain mimicked the legitimate government website of the Federated States of Micronesia ( The Macau Security Forces Bureau (MSSB) issued a warning about the fraudulent domain in December.

The attacks were likely intended to help the threat actor set the stage for future activity as the hotels were expected to hold several conferences that DarkHotel may have been interested in.

However, the events were canceled or postponed due to the rapid rise in COVID-19 cases in Macau and China, and the attacks stopped on Jan. 18.

Trellix attributed the activity to DarkHotel with moderate certainty based on continued use of an IP address associated with previous APT activity, victimology, and specific development patterns in the C&C panel.

“We lowered our confidence level to moderate because the specific IP address remained active for some time after it was publicly disclosed, and the same IP address is the origin of other malicious content unrelated to this specific threat,” says Trellix .

See also: White Tur hacking group borrows techniques from several APTs

Related: Newly discovered “StrifeWater” RAT linked to Iranian APT

See also: APT group using language changing software in spear phishing campaign

Ionut Arhire is international correspondent for SecurityWeek.

Previous columns by Ionut Arhire:


About Author

Comments are closed.