Travel Sector Under Siege as TA558 Pivots Toward Stealthy Payloads
Threat actors are weaponizing reservation-themed emails with container files to bypass modern Microsoft Office security protections.
Travelers and hospitality staff are navigating a turbulent landscape where digital deception now mirrors the logistical frustrations of modern air travel. As the sector recovers from a pandemic-induced lull, the threat group known as TA558 has aggressively recalibrated its tactics to exploit the surge in global bookings.
A Shift in Delivery Mechanics
The operational profile of this group has undergone a significant transformation. While previous efforts relied on malicious Microsoft Word documents, current campaigns utilize ISO and RAR file attachments. These compressed containers effectively shield the malicious payload until a user is successfully coerced into decompressing the archive. Proofpoint reports that this transition is a direct response to Microsoft’s efforts to disable macro execution by default within Office products.
“TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip [RAR] files containing executables,” Proofpoint wrote.
Evolution of the Malicious Toolkit
The sophistication of the malware deployed by TA558 has remained remarkably consistent in its intent, even as its delivery methods evolve. The group frequently leverages remote access trojans, or RATs, to perform reconnaissance and facilitate the theft of sensitive data. Historically, the group has utilized well-documented vulnerabilities such as CVE-2017-11882 to gain entry into victim machines.
- TA558 conducted 27 campaigns involving URLs during 2022.
- The group executed a total of 5 URL-based campaigns between 2018 and 2021.
- In January 2020, the group launched 25 separate malicious campaigns.
Targeting the Hospitality Ecosystem
Beyond the technical mechanics, the group maintains a focused strategy on the hospitality industry, particularly within Latin America, though their reach often extends into North America and Western Europe. By crafting emails with simple, deceptive subject lines like "reserva," they exploit the natural urgency associated with booking confirmation.
Financial gain remains the primary driver for these operations. According to Sherrod DeGrippo, vice president of threat research and detection organizations at Proofpoint: “Its possible compromises could impact both organizations in the travel industry as well as potentially customers who have used them for vacations.”
Securing the Digital Reservation Process
For organizations operating within the travel and hospitality sectors, the implications of these campaigns are severe. The shift toward file formats that bypass traditional macro-based security filters requires a more robust defense-in-depth approach. Staff should be trained to view unexpected reservation emails—even those appearing legitimate—with extreme skepticism. As these threat actors continue to scale their operations using stolen data, the financial risks to both corporate entities and individual travelers remain high, necessitating heightened vigilance in verifying the origin of any attached document or embedded link.