A Russian-speaking threat group began a prolific phishing campaign …. Since the beginning of this year alone, they have created upwards of 4,300 fraudulent domain names. This campaign’s main objective seems to be tricking users into entering their payment details by mimicking well-known booking and rental services. The hack in question started in earnest around Feb 2025, and the perpetrators are still unknown.
The phishing scam implements a custom-built sophisticated automated phishing platform meant for anonymity and high-volume bad-bot attacks. With its new functionality to display in 43 major world languages, its geographic reach can extend to victims around the world. This new wave of mass phishing efforts targets the average individual user, often leaving their data vulnerable and compromised. It puts at risk businesses and nonprofits that often manage supplier contracts.
Details of the Campaign
The threat group responsible for this campaign has shown incredible creativity. They’ve notoriously registered thousands of domains that are near-identical clones of popular brands like Microsoft, Adobe, WeTransfer, FedEx, and DHL. In fact, travel booking services are the most hit brands by the attackers. They have 685 with the name “Booking” in them, 18 with “Expedia,” 13 with “Agoda,” and 12 with “Airbnb.”
The fraudsters have added HTML files which, when opened, show fake login pages that capture a victim’s personal credentials. After a victim submits their credentials, malicious JavaScript code sends those credentials straight to Telegram bots operated by the attackers.
“It employs CAPTCHA filtering to evade security scans, pre-fills victim data to increase credibility, and uses Telegram bots to exfiltrate stolen credentials and payment information. Every function serves a single goal: industrial-scale credential theft.” – Group-IB researchers Ivan Salipur and Federico Marazzi
Technical Sophistication
The phishing kit utilized in this campaign is described as a “fully automated, multi-stage platform designed for efficiency and stealth.” Andrew Brandt, an expert in cyber defense, showcased its cutting-edge capabilities.
“The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website.” – Andrew Brandt
The technology on this kit setup lets you make tweaks to the phishing pages in real-time based on the first user who interacts with them. The value of the AD_CODE is saved into a cookie. This ensures that the branding is uniform on all pages that follow and further increases the feeling of authenticity.
“After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages.” – Netcraft
Implications for Users and Organizations
The implications of this aggressive phishing campaign go far beyond the innocent victims. The threat actors have deliberately tailored their tactics to target local businesses. Private firms are going after government-linked entities and hospitality firms. They too are targeting these industries. This signals a tactical purpose to take advantage of weak points in any organizations that often have a high volume of RFQs and supplier communications.
“This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications.” – The company
The campaign smartly targets businesses at a high level of precision. Its multilingual capabilities allow it to target a wider audience of potential victims across multiple countries or continents. The presence of Russian in source code comments gives an early indication as to who was behind this operation.
As Group-IB researchers detail, this kind of automation has made phishing a much more industrialized enterprise.
“The automation observed in this particular kit exemplifies how phishing has become systematized – faster to deploy, harder to detect, and easier to replicate.” – Group-IB researchers Ivan Salipur and Federico Marazzi