A Russian-speaking threat actor has registered more than 4,300 domain names this year to support a large phishing campaign aimed at customers of the hospitality industry, researchers reported. Evidence of the infrastructure is available in a published IOC list and was summarised in a security firm blog post.
Netcraft identified 4,344 domains associated with the cluster and said many names try to mimic major booking platforms: 685 domains contain the string “Booking,” 18 contain “Expedia,” 13 contain “Agoda” and 12 contain “Airbnb.” The firm reported the campaign began in earnest around February 2025 and is designed to intercept hotel reservation payments and personal data.
The phishing chain typically starts with an email asking recipients to confirm a booking within 24 hours by clicking a link that leads through a series of redirects to a counterfeit booking page. The fake sites use naming patterns such as confirmation, booking, guestcheck, cardverify or reservation and present branding for legitimate travel platforms; pages are offered in 43 languages to widen reach, Netcraft said.
Targets must supply card details to pay a purported deposit, at which point the page attempts to process a transaction and displays a support chat window instructing users to complete a supposed 3D Secure verification. The pages rely on a unique URL parameter called AD_CODE; Netcraft reported the value is written to a cookie so subsequent pages keep consistent impersonated branding, and that a fake CAPTCHA resembling Cloudflare is used to further deceive visitors.
Observers noted possible links to other hospitality-focused campaigns. A French cybersecurity company warned of large-scale attacks that harvest credentials and use stolen reservation details to further trick customers, and one publicly shared indicator resembles the domain patterns used by this cluster. Other researchers have documented multi-brand phishing campaigns that harvest credentials via embedded HTML and exfiltrate data, for example in a recent report on such activity; victims have been concentrated in Central and Eastern Europe, including the Czech Republic, Slovakia, Hungary and Germany.
Separate analysis described the phishing kit as a fully automated, multi-stage platform that includes CAPTCHA filtering, pre-filling of victim data and use of messaging bots to exfiltrate stolen credentials and payment information. Group-IB researchers characterised the tooling as optimised for industrial-scale credential theft and said such services reflect growing demand for phishing-as-a-service. The identity of the group behind the hotel-targeting cluster remains unknown; the use of Russian in code comments and debug output may indicate provenance or be intended to appeal to buyers of the kit.