The False Itinerary: TA558

← Home·Gallery·Techniques

Threat Intelligence Tarot

cups · 6

Criminal (Latin America focused)

G1008

★★★★★

risk 3/5

✦ The False Itinerary ✦

TA558

HotelsTravel agenciesAirlinesLatin American hospitality sector

Active since ~2018 · Financial fraud, Latin American travel sector targeting, Remote access trojan deployment

It sends hotel staff a fake booking confirmation. The attachment is a reservation. The attachment is also a remote access trojan. The False Itinerary has spent years in the reservations inbox of hotels across Latin America, reading guest credit cards and booking data for financial fraud.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1204.002

Malicious File

Execution

T1059.005

Visual Basic

Execution

T1056.001

Keylogging

Collection

T1071.001

Web Protocols

Command and Control

Notable Operations

◆Hotel reservation system compromise across Latin America
◆Fake booking confirmations as spearphishing lures
◆RevengeRAT, AsyncRAT, and Loda RAT deployments
◆Travel industry targeting across 15+ countries

Defenses

▸
Disable VBA macros and script execution from email attachments
CIS Control 9 ↗
▸
Hotel PMS system network segmentation from corporate email
CIS Control 12 ↗
▸
RAT detection capabilities in endpoint security
NIST CSF: DE.CM ↗
▸
Travel sector ISAC participation for threat intelligence
NIST CSF: ID.RA ↗

Reversed: Their Weakness

TA558's geographic concentration in Latin America and consistent targeting of the travel sector created predictable patterns that allowed industry-specific threat intelligence to build effective defenses - sector-specific sharing networks proved particularly valuable.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Broker Next →The Watering Hole

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.