Menu
Browse

Cyber Threat Actor: DarkHotel

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Spy
Romania
1 incident
Profile

DarkHotel, also known as APT‑C‑06, is a threat actor that has been observed conducting cyber‑espionage operations since at least 2007. Public sources list Romania as the actor’s known location. The group’s activity is characterized by attempts to gather sensitive information rather than pursue financial gain or cause disruption. Its tactics have been linked to the collection of data from targeted victims. The actor appears in multiple threat‑intelligence reports describing a long‑running campaign.

DarkHotel’s typical targets include government employees and business executives located in East Asia, specifically in China, North Korea, Japan, and the United States. The actor has also been observed targeting healthcare and humanitarian organizations. Its primary initial access method involves creating malicious web infrastructure that mimics legitimate internal email systems or service portals. These deceptive sites are used to harvest credentials through phishing‑style login pages. No specific malware families are publicly attributed to DarkHotel in the available sources.

A notable publicly reported operation involved a March 2020 attempt to compromise World Health Organization staff, where a malicious site imitating the WHO’s internal email system was detected by a security researcher. While the WHO’s CISO confirmed the attempt was unsuccessful and the identity of the perpetrators remained unclear, sources briefed on the incident suggested DarkHotel as a possible actor. The same malicious web infrastructure linked to the WHO incident has also been used in recent weeks against other healthcare and humanitarian entities. Cybersecurity firms such as Bitdefender and Kaspersky have traced many of DarkHotel’s operations to East Asia, reinforcing the geographic focus of its targeting. This profile summarizes the confirmed facts about the actor without speculating on undisclosed details.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source