The RevengeHotels APT lab presents a comprehensive cybersecurity investigation scenario that challenges analysts to unravel a sophisticated multi-stage malware attack through forensic analysis of a compromised Windows system. This lab simulates a real-world incident where a threat actor successfully compromised an enterprise environment through a carefully orchestrated phishing campaign, demonstrating the complete attack lifecycle from initial access to data exfiltration. Through systematic examination of various forensic artifacts including email communications, browser history, Windows event logs, Sysmon telemetry, and registry modifications, we trace the attacker's footsteps and understand their tactics, techniques, and procedures.
The attack begins with a socially engineered phishing email masquerading as a hotel reservation confirmation from the domain hotelx.rf.gd, which delivers a malicious JavaScript file disguised as an invoice document. This initial payload demonstrates sophisticated evasion techniques by immediately disabling Windows Defender's real-time monitoring through PowerShell commands before establishing the main infection. The JavaScript creates and executes a PowerShell script that downloads two additional files, including a heavily obfuscated Windows executable hidden within a Base64-encoded text file. This executable, which masquerades as the legitimate Windows service host process through the deceptive filename swchost.exe, implements multiple persistence mec