TA558 Is Back, Targeting Hotels and Airlines With Fake Booking Emails

A criminal group that has quietly stolen travel-industry data since 2018 has dramatically ramped up its fake-reservation campaigns, now using compressed file tricks to sneak spying software onto victims' computers.

ThreatVectr Newsdesk· 3 min read
Aerial 16:9 editorial photograph of a busy international airport terminal, shot from above at dusk, warm amber lighting illuminating rows of empty check-in desk
Share

Key points

  • TA558, a financially motivated criminal group active since at least 2018, ran 27 malicious campaigns in 2022 alone — compared with just five across the previous four years combined.
  • The group sends fake hotel or flight reservation emails, primarily in Portuguese or Spanish, targeting organisations in Latin America, North America, and Western Europe.
  • Clicking a link in one of these emails can silently install a remote access trojan — software that lets criminals spy on a computer, steal files, and plant further malware.
  • Proofpoint researchers assessed with medium-to-high confidence that TA558's goal is financial: stealing data to ultimately steal money.
  • Customers who have shared payment or personal details with targeted travel companies may also be at risk.

A criminal group called TA558 has dramatically stepped up attacks on airlines, hotels, and travel agencies, sending fake booking-confirmation emails designed to infect staff computers with spying software. The group has been operating since at least 2018, with a noticeable pause during COVID-era travel shutdowns. Now that bookings have bounced back, so has TA558.

The emails look routine. Subject lines often say simply "reserva" — the Spanish and Portuguese word for reservation. Staff at a hotel or airline front desk could easily mistake one for a genuine inquiry.

How do the criminals actually get in?

Opening the email is not enough to get infected — but clicking the link inside is. That link downloads a compressed archive file (think of it like a zip file, a single package containing other files bundled inside). When a victim opens the package, hidden code runs automatically and installs a remote access trojan, or RAT — software that gives criminals full, silent control of the infected computer from anywhere in the world.

The specific RAT Proofpoint researchers observed in the most recent wave is called AsyncRAT. Once running, it can record keystrokes, steal saved passwords, copy files, and download additional malware.

TA558 switched to these compressed-file tricks after Microsoft blocked a method the group had relied on for years: malicious macros (small automated programs hidden inside Word and Excel documents). Microsoft disabled those macros by default in late 2021 and early 2022, and TA558 adapted quickly.

The group's earlier campaigns — tracked by Palo Alto Networks in 2018 and Cisco Talos in 2020 — had used a known flaw in Microsoft Word's equation editor, CVE-2017-11882, a remote-code-execution bug that allowed attackers to run their own programs on a victim's machine simply by opening a document. That vulnerability has long been patched, which is partly why TA558 keeps changing tactics.

Proofpoint, which published the research first reported by Threatpost, notes the gang delivered at least three different RATs across 2022 campaigns: Loda, Revenge RAT, and AsyncRAT.

For ordinary travellers, the risk is indirect but real. If a hotel or airline's systems are broken into and customer records stolen, that data — names, payment card numbers, passport details — can be sold or used for fraud. Sherrod DeGrippo, Proofpoint's vice president of threat research, noted that customers who have booked holidays through targeted companies could be affected.

If you have recently booked travel through a Latin American, European, or North American hotel or airline and you receive unexpected emails asking you to click links or open attachments, treat them with suspicion. Contact the company directly using a phone number from its official website before clicking anything.

© 2026 Threat Vectr