>samit_hota
Back to adversary profiles
G0012HighActive

Darkhotel: An Enduring Cyber Espionage Threat

Samit Hota·
Suspected Origin
Suspected South Korea
Motivation
Espionage, Strategic Intelligence, Economic Policy, National Security
Aliases
DUBNIUM, Zigzag Hail
Target Sectors
Government, Defense, Hospitality, Finance, Pharmaceuticals, Electronics Manufacturing, Energy, NGOs, Technology, Diplomatic Organizations
Associated Malware
Tapaoux, Karba, Inexsmar, Nemim, Pioneer, Custom Backdoors, Keyloggers
#threat-actor#g0012

Overview

Darkhotel (G0012), also known by aliases like DUBNIUM and Zigzag Hail, is a highly sophisticated and persistent cyber espionage group with suspected ties to South Korea, active since at least 2004. Initially gaining notoriety for its cunning attacks via compromised hotel Wi-Fi networks, the group has consistently evolved its tactics, techniques, and procedures (TTPs) to maintain access to high-value targets. Darkhotel’s operations exhibit a level of sophistication and target selectivity that points towards state-sponsored intelligence capabilities, focused on gathering strategic information related to regional security, defense cooperation, and economic policy. Their campaigns are meticulously planned, often demonstrating prior knowledge of victims’ travel schedules and an ability to swiftly exfiltrate data before erasing their tracks.

Tactics & Techniques

Darkhotel has a diverse and adaptable set of TTPs, reflecting a continuous effort to bypass evolving security measures. Their initial access methods have historically included:

  • Compromised Hotel Wi-Fi Networks: The group’s namesake technique involves infiltrating hotel networks, particularly in luxury establishments. When high-profile guests connect, they are prompted to download fake software updates for legitimate applications like GoogleToolbar, Adobe Flash, or Windows Messenger, which are, in fact, trojanized installers for Darkhotel malware. Attackers often have advance knowledge of when specific individuals will arrive and depart, allowing for precise targeting.
  • Spearphishing Campaigns: Darkhotel frequently employs highly targeted spearphishing emails. These emails often contain malicious attachments, such as RAR archives, LNK files, or Excel documents embedded with macros, designed to install malware upon execution. Lures have included policy briefs for diplomatic espionage and fake tourist communications for hotel staff.
  • Watering Hole Attacks: The group has leveraged watering hole attacks, compromising legitimate policy and technology websites to ensnare targets.
  • Peer-to-Peer (P2P) and File-Sharing Networks: In a less precise but broader approach, Darkhotel has distributed malware indiscriminately via Japanese P2P file-sharing sites, often disguised within large archives purporting to offer sexual content.
  • Exploiting Vulnerabilities: Darkhotel has a history of exploiting publicly facing system vulnerabilities, including those in VPNs and email servers, and is known to utilize zero-day exploits. They’ve exploited Adobe Flash vulnerabilities (e.g., CVE-2015-8651, CVE-2014-0497) and Windows elevation of privilege exploits. More recently, a campaign in 2025 exploited a zero-day vulnerability (CVE-2025-33053).
  • Supply Chain Compromise: In a more advanced evolution, Darkhotel has infiltrated regional IT service providers to inject malware into software updates intended for defense industry clients.

Once initial access is gained, Darkhotel employs various techniques for execution, persistence, defense evasion, and data exfiltration. They use malicious macros and PowerShell commands to execute payloads, establish persistence by modifying registry keys, and maintain access using custom backdoors and Remote Access Trojans (RATs). For defense evasion, they utilize valid or forged digital certificates to sign their malware, obfuscate code using techniques like RC4, XOR, and RSA, and employ anti-analysis checks to detect sandbox environments. The group is also meticulous about deleting traces of their tools post-attack. Credential access is achieved through keyloggers and credential theft. They conduct extensive discovery by collecting system information, including IP addresses, network adapter details, running processes, and OS versions, before exfiltrating sensitive data via encrypted channels, FTP, or legitimate cloud services.

Notable Campaigns

Darkhotel has been linked to numerous significant campaigns over its long operational history:

  • 2014 Hotel Wi-Fi Campaign: This campaign brought Darkhotel to public attention, detailing their sophisticated method of compromising hotel networks in Asia to target traveling executives and government officials.
  • 2017 Defense Industry Intrusions: Darkhotel conducted spearphishing and watering-hole attacks specifically against Japanese and South Korean defense contractors, deploying their Inexsmar implants.
  • 2020 Diplomatic Espionage: The group targeted Ministries of Foreign Affairs and trade across East Asia, distributing Karba malware through phishing campaigns disguised as policy briefs. During the COVID-19 pandemic, Darkhotel also notably compromised the systems of the World Health Organization and a significant Chinese VPN service provider, SangFor, used by Chinese government agencies.
  • 2021-2022 Macao Hotel Campaign: Trellix reported a suspected Darkhotel spearphishing campaign targeting luxury hotels in Macao, China, in late 2021. Emails impersonating the “Macao Government Tourism Office” were sent to hotel management, aiming to compromise networks and potentially target wealthy guests attending conferences.
  • 2023 Supply Chain Compromise: Darkhotel infiltrated a regional IT service provider to insert malware into software updates that were subsequently distributed to defense industry clients.
  • 2025 Cloud Exploitation and North Korean Targeting: Campaigns in 2025 saw Darkhotel deploying Inexsmar and Karba malware variants to compromise Microsoft 365 environments, focusing on diplomatic communications and research & development documentation. Separately, they launched an attack targeting North Korean foreign trade personnel using phishing emails with malicious MSI installers that exploited a zero-day vulnerability (CVE-2025-33053).

Associated Malware & Tools

Darkhotel employs a suite of custom-developed malware and has been known to leverage exploits. Key components include:

  • Trojans and Backdoors: Tapaoux (an early Trojan), Karba, Inexsmar (a version used to target political figures), Nemim, and Pioneer are frequently associated with the group. Other malware families observed include Asruex, DmaUp3.exe, GreezeBackdoor, msieckc.exe, Ramsay, and Retro. The SpyGlace malware has also been linked to activities that share TTPs with Darkhotel.
  • Custom Tools: They develop and deploy custom keyloggers, backdoors, and Remote Access Trojans (RATs) to maintain persistence and exfiltrate data.
  • Exploits: Darkhotel has utilized a range of zero-day exploits, including several for Adobe Flash (CVE-2014-0515, CVE-2015-5122) and Microsoft Internet Explorer, as well as an elevation of privilege exploit for Windows. More recent activities indicate the use of newly discovered zero-days like CVE-2025-33053.
  • Commercial Tools: There are indications of them leveraging commercial tools such as Cobalt Strike and Metasploit, alongside their custom arsenal.
  • Living Off The Land Binaries (LOLBAS): The group also incorporates LOLBAS techniques, such as using PowerShell for command execution.

Current Status

Darkhotel remains an active and evolving advanced persistent threat. Recent reports indicate continued activity up to 2025 and even into early 2026, demonstrating their consistent operational sophistication and adaptability. The group has skillfully shifted its focus from purely Wi-Fi-based attacks to incorporate more complex initial access vectors, including sophisticated supply chain compromises and cloud-based espionage operations targeting Microsoft 365 environments. Their targeting remains focused on high-value individuals and organizations within government, defense, and related strategic sectors, primarily across East Asia but with a global reach. Their ability to rapidly integrate new vulnerabilities and adapt their delivery mechanisms ensures they continue to pose a significant and persistent threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call