VERY IMPORTANT

A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.