Global Research and Analysis Team members (GReAT) of the Russian software company Kaspersky Lab analyzed cyber espionage campaign “Darkhotel”, campaign active at least four years, a campaign during which were stolen confidential information from corporate executives traveling abroad. Darkhotel is targeting victims staying in luxury hotels, and the team behind the campaign do not attack the same person twice. Operations called Darkhotel  are executed with precision, achieving all important data from the first attack. Subsequently, the attackers are covering their tracks and stop their activities until they identify the next target. Among the victims are corporate executives in the US and Asia. The threat is still active, warns Kaspersky Lab.

Working with “Darkhotel”

Darkhotel is an effective method to penetrate the networks of hotels, offering wide and lengthy access for attackers, including targeting systems considered private and secure. Attackers work when victims are connected to the hotel’s Wi-Fi network by entering the room number and last name to login. Cybercriminals identify victims connected to the compromised network and require to download and install a backdoor as legitimate software updates Google Toolbar, Adobe Flash or Windows Messenger. Victim download package, infecting the device with a backdoor – the so called software Darkhotel cyber espionage.

After installation, the backdoor can be used to download the most advanced tools in order to steal confidential information: an advanced digital signature keylogger, trojan  Karba and a specialized module in information retrieval. These tools collect data about system and security software installed, steal passwords saved in Firefox, Chrome and Internet Explorer, Gmail Notifier, Twitter, Facebook, passwords logging in Yahoo! and Google accounts and other confidential information. Victims risk losing important information, such as files that are intellectual property of organizations they represent. After this operation, the attackers delete infiltrated instruments in hotel network and temporarily suspend its operations.


Recently, Darkhotel successfully attacked people with important functions, using the most advanced methods and techniques other than those used in typical attacks, says Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab. This virus has operational competence, mathematical and analytical skills cryptography and other resources capable of infecting reliable commercial networks, targeting different categories of victims with strategic precision concludes Kurt Baumgartner.

Kaspersky Lab researchers have discovered in a string of dangerous Darkhotel source code a trace indicating a speaking Korean. Kaspersky Lab detects and neutralizes malware and variants used in the toolkit Darkhotel. Kaspersky Lab is working with multiple organizations to solve the case Darkhotel profile.

How to avoid attacks Darkhotel

During travel, any network, even the semi-private hotels can be dangerous. Darkhotel case illustrates an evolving attack vector: people who possess valuable information can easily become victims Darkhotel or a similar operation. To prevent these threats, Kaspersky Lab recommends: use a provider Virtual Private Network (VPN) that can provide a communication channel for accessing encrypted Wi-Fi networks public or semi-public; In travel, any software update is suspicious and should make sure that the program is developed by a reliable supplier. Security solution must provide protection against new threats developed, not just basic antivirus protection.

Kaspersky Lab is present in around 200 countries and protects over 300 million users worldwide.

You can find more informations regarding Kaspersky on their official website, here.