AI Draft ACTIVE

DarkHotel

Also known as: DUBNIUM, Zigzag Hail, Tapaoux, Group 1, Pioneer
Affiliation South Korea (assessed)
Motivation Espionage
Status active
Country South Korea
First Seen 2007
Target Sectors Defense, Automotive, Electronics, Pharmaceuticals, Manufacturing, Government
Target Geographies Japan, South Korea, China, Taiwan, Russia, Germany, United States, Asia-Pacific

Executive Summary

DarkHotel is a South Korean-attributed advanced persistent threat (APT) group active since at least 2007, specializing in targeted espionage against senior business executives. The group is best known for a signature tactic: compromising hotel Wi-Fi networks to intercept and redirect corporate guests toward trojanized software installers, earning the group its name from Kaspersky Lab’s landmark 2014 disclosure.

Operating across Asia-Pacific and beyond, DarkHotel has targeted executives from the defense, automotive, electronics, pharmaceutical, and manufacturing sectors with a high degree of operational precision. The group demonstrates patient, multi-stage targeting — researching victims before hotel stays and staging attacks to coincide with confirmed bookings — alongside an aggressive zero-day exploitation capability, including documented use of Adobe Flash and Internet Explorer vulnerabilities sourced from the 2015 Hacking Team breach.

Notable Campaigns

2007–2014 — Hotel Wi-Fi Network Intrusions

Kaspersky Lab’s November 2014 report documented a sustained campaign spanning at least seven years in which DarkHotel compromised hotel networks across Japan, Taiwan, China, Russia, and Germany. The group maintained persistent access to hotel network infrastructure and selectively targeted guests who matched executive profiles. Victims were presented with fake update prompts for legitimate software — Adobe Flash, Windows Messenger — that delivered the Karba backdoor or a custom keylogger. The targeting was highly selective: only specific guests were served malicious content while other hotel traffic passed unaffected.

2015 — Zero-Day Exploitation Surge

Following the July 2015 breach of Italian spyware vendor Hacking Team, DarkHotel rapidly weaponized leaked zero-day exploit code for Adobe Flash (CVE-2015-5119), incorporating it into both spearphishing campaigns and watering-hole attacks within days of public disclosure. Kaspersky’s follow-up 2015 report documented the group’s use of this and additional Flash and Internet Explorer zero-days, demonstrating a sustained investment in client-side exploitation capability beyond the hotel-network vector.

Technical Capabilities

DarkHotel’s technical toolkit spans social engineering, network-level interception, and custom malware, with a track record of rapid zero-day incorporation.

Karba is the group’s primary backdoor, providing keylogging, screen capture, file system enumeration, and remote command execution. It establishes persistence through Windows Registry Run keys and communicates with command-and-control infrastructure over standard web protocols to blend with legitimate traffic.

Tapaoux (also called the DarkHotel downloader) serves as a first-stage implant, delivered through malicious attachments or hotel-network injection. It performs host reconnaissance and retrieves second-stage payloads from attacker-controlled servers.

BBSRAT is a modular backdoor sharing functional overlap with Karba, capable of process injection, file management, and remote shell access. Its use in DarkHotel operations has been assessed by multiple vendors. NHS England Digital described Ramsay as an information-stealing trojan and espionage framework believed to have been created by or for DarkHotel.

The group’s network interception technique requires compromised hotel network environments that can deliver malicious software-update prompts to selected guests. Code-signing with counterfeit certificates is consistently used to reduce endpoint detection friction.

Attribution

DarkHotel attribution to South Korean-linked actors rests on assessment rather than public legal or government confirmation. MITRE ATT&CK identifies DarkHotel as a suspected South Korean threat group. Kaspersky Lab documents the group’s targeting patterns, hotel-network operations, and malware tradecraft; the cited sources do not identify named operators or a formal government sponsor.

Neither the South Korean government nor any foreign government has issued a formal indictment or public attribution statement in the cited sources. The A3 assessment reflects source-supported vendor attribution without government confirmation.

MITRE ATT&CK Profile

Initial Access: DarkHotel employs two primary vectors: spearphishing with malicious attachments (T1566.001) exploiting zero-days in Adobe Reader, Flash, and Office; and drive-by compromise via compromised hotel Wi-Fi networks (T1189) delivering trojanized software update packages to targeted guests.

Execution: Client-side zero-day exploitation (T1203) is a hallmark of DarkHotel operations, with documented use of Adobe Flash vulnerabilities including CVE-2015-5119 from the Hacking Team breach, as well as multiple Internet Explorer zero-days.

Persistence: Karba and Tapaoux establish persistence through Windows Registry Run keys and Startup folder entries (T1547.001), ensuring survival across reboots and enabling long-duration access.

Defense Evasion: Malware components use obfuscation (T1027). MITRE ATT&CK also maps DarkHotel use of stolen or counterfeit code-signing certificates to code signing trust-control subversion (T1553.002).

Collection: The Karba backdoor includes screen capture and keylogging capabilities, enabling credential theft and document exfiltration from targeted executives.

Sources & References

Known Tools

KarbaTapaouxBBSRATRamsaycustom keyloggerstrojanized software installers
nation-statesouth-koreaespionageapthotelzero-dayspearphishingdarkhotel