Full Report
A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in…
Analysis Summary
# Threat Actor: Unidentified Russian-Speaking Threat Actor
## Attribution & Identity
* **Identification:** A Russian-speaking threat actor.
* **Aliases/Associations:** No specific group name or established alias provided in the context, referred to generally as a "Russian-speaking threat."
## Activity Summary
This actor is behind an ongoing, mass phishing campaign that began "in earnest around February 2025." The primary goal of the campaign is to target customers of the hospitality industry. The actor has demonstrated significant infrastructure build-up, registering over 4,300 domain names since the start of the year (2025).
## Tactics, Techniques & Procedures
* **TTPs:**
* **Mass Phishing/Domain Squatting:** Registration of a very large volume of domains intended to impersonate legitimate booking platforms.
* **Email Delivery:** Use of spam emails to reach hotel guests with reservations.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the article.
## Targeting
* **Sectors:** Hospitality industry.
* **Geography:** Not specified, but the actor is identified as Russian-speaking.
* **Victims:** Customers/guests with travel reservations, specifically targeting those using Booking, Expedia, Agoda, and Airbnb.
## Tools & Infrastructure
* **Malware Families:** Not mentioned.
* **Infrastructure:**
* **Domains:** Registered over 4,300 fraudulent domain names since early 2025.
* **Domain Examples:** High volume of domains containing "Booking" (685 domains), followed by variations of "Expedia" (18), "Agoda" (13), and "Airbnb" (12).
* **URLs/IPs:** Specific infrastructure details are available in a linked GitHub repository, but specific defanged examples are not provided in the text summary.
## Implications
This campaign represents a highly scalable and sustained financial fraud operation targeting a specific user behavior (travel booking). The sheer volume of domains registered indicates significant operational capacity and a high-level commitment to credential and payment data theft from travelers.
## Mitigations
* **User Education:** Increased awareness among travelers (hotel guests) regarding phishing attempts delivered via spam email before or during travel reservations.
* **Domain Monitoring:** Proactive monitoring and takedown requests for domains impersonating legitimate hospitality and booking services.
* **Travel Security Hygiene:** Advising users to avoid clicking links in unexpected emails related to travel and instead navigate directly to official booking websites for confirmation or payment updates.