Darkhotel

DarkHotel, also known as DUBNIUM, is a cyber threat actor that has been active since at least 2018. This group has been observed primarily targeting Japanese organizations and has recently been linked to a campaign utilizing unique Tactics, Techniques, and Procedures (TTPs). The campaign involved a multi-stage binary infection phase using home-brewed malware, demonstrating DarkHotel's advanced persistent threat attributes. Notably, the group has exploited software vulnerabilities alongside other Advanced Persistent Threat (APT) actors such as CactusPete, TwoSail Junk, FunnyDream, and others. Moreover, DarkHotel has been found to exploit the COVID-19 pandemic, much like other APT groups including Kimsuky and Hades. The analysis of this campaign revealed that DarkHotel used Ramsay’s version 2.a Spreader component, which reused a series of tokens previously seen in DarkHotel’s Retro Backdoor. This suggests significant technical overlaps between Ramsay and DarkHotel’s historical Trojans. Despite the risk of detection by antivirus software, DarkHotel's activities seem to be limited to specific targets, indicating a high degree of precision in their operations. This targeted approach, coupled with an improved malicious code infection technology, underscores the group's sophisticated attack process. DarkHotel's operations have been particularly prominent in Southeast Asia, a region noted for its high level of APT activity from established actors such as Lazarus, Kimsuky, and newer groups like Cloud Snooper and Fishing Elephant. Interestingly, despite the complexity of DarkHotel’s activities for isolation network penetration, their implementation cost is lower compared to more intricate systems like the A2PT seismograph. However, their transmission, infection, and exudation processes are heavily reliant on personnel. Even so, within a sustainable attack cycle, DarkHotel still maintains the potential to achieve its objectives.