Yet Another TA558 Campaign Targets South America’s Hospitality Industry With AsyncRAT

This report analyzes a targeted phishing campaign (attributed to TA558) that uses obfuscated JavaScript and PowerShell droppers (collectively called "kimkarden" variants) to deliver an AsyncRAT remote access trojan; the researcher details the multi-stage infection chain, deobfuscation steps, helper DLL behavior (using Regsvcs/Msbuild), extracted C2 domains, file/URL/port IoCs, and related hosting infrastructure.