A Russian-speaking cybercriminal group has launched a large-scale phishing campaign aimed at travelers and hotel guests, registering more than 4,300 domains since the start of 2025, according to new research from Netcraft. The attackers appear to be targeting individuals who have upcoming travel plans, using fraudulent websites to steal payment and personal information.
The campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path. Victims typically receive malicious emails that appear to come from legitimate booking services, prompting them to confirm reservations or payments through what looks like a hotel’s official website.
Instead of directing users to a legitimate booking platform, the links route through a series of intermediary websites before landing on the phishing page. In one example, an email led to a domain originally created in 2016 for a movie promotion, which then redirected to a Blogspot page and finally to the fraudulent booking site.
The phishing campaign began in February and has expanded rapidly, with the threat actor registering new domains almost daily. Netcraft reported that on March 20, 2025, alone, the group registered at least 511 domains. Most domains were created through a small group of registrars, including WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation.
Analysis of the phishing sites revealed extensive Russian-language comments and instructions in the HTML code, suggesting the kit is intended for use by other cybercriminals as well.