Field Notes · Analysis · 17 May 2026

DarkHotel: Where Everyone Agreed Not to Look

Rob Pinna Global APT · Hotel Networks · Business Travel

In 2014 Kaspersky researchers traced a series of targeted intrusions to the Wi-Fi networks of luxury hotels in Asia and the Gulf. The attackers were waiting for specific guests. When the target connected to the hotel network, a software update prompt appeared. The update was malicious. Other guests, on the same network at the same time, received nothing.

The campaign was named DarkHotel, and while the technical analysis received most of the attention, the operational detail did not.

The attackers appeared to know which room a target was checking into and approximately when they would connect. The Kaspersky team tested this by visiting the same hotels with honeypot machines and reported that those machines were not targeted. The selection pattern suggested access to reservation information, a real-time intelligence feed about high-value arrivals, or another hotel-adjacent source of targeting data. Researchers at the time treated property-level insider assistance as a plausible inference, not as a confirmed fact.

What makes DarkHotel interesting is the trust geometry of business travel. An executive in transit accepts that the hotel network is operationally necessary and not under their control. Their security team accepts the same, because the alternative is the executive does not travel. The hotel's network administrator accepts that they cannot meaningfully defend a network shared with hundreds of transient guests every night. Each actor in this chain knows the position is weak, and each accepts it because moving the responsibility elsewhere is operationally easier than addressing it directly, which makes the accumulation of concessions, at every layer, structurally predictable.

DarkHotel operated for at least seven years across the United Arab Emirates, Kazakhstan, Lebanon, Singapore, Hong Kong, Italy and elsewhere. Public reporting has described the activity as Korean-speaking or Korea-linked, while attribution remains less important than the operational pattern.

The most predictable place to find a high-value target is the place where everyone in the chain has already agreed not to look.

Sources
  1. Kaspersky Lab, "The Darkhotel APT", Securelist, November 2014.
  2. Zscaler ThreatLabz, "New DarkHotel APT attack chain identified", December 2021.
  3. Trellix research on the 2021–2022 Macau hotel campaign.
  4. The MITRE ATT&CK group profile G0012 collates the broader behavioural set.
  5. The honeypot detail and the inference of property-level insider assistance both derive from the original Kaspersky 2014 publication.