We've thoroughly mapped the campaign's vast infrastructure and uncovered its hidden patterns in Part 2, but to truly understand the threat, we need to go beyond the observable network. Part 3 takes us deeper, revealing a remarkable discovery: files that offer a direct look into the threat actors' internal operations, including victim data and their command-and-control mechanisms.

Interesting file identified

So far, we've been able to understand the campaign's scope, various ways to conduct threat hunting, and how to identify new infrastructure. But the next question we asked ourselves was: Are there files that interact with any of the URLs we've identified? So, we started running different queries in Google Threat Intelligence, and one of them gave an interesting result.

embedded_url:"https://booking.confirmation-"

As a result of the previous query, we found a RAR file that includes the URL hxxps://booking-confirmation.id61519619.]date/p/360580105 as embedded. It's not exactly the domain pattern we've been discussing, but it's very close and seemed interesting enough to analyze. The RAR file was first uploaded to GTI 2024-09-17, which indicates it's likely related to an older campaign.

The RAR file contains a folder inside it named ChatExport_2024-09-12. This folder, holds HTML files named messagesgsequential_numbers].html (where sequential_numbers represents a series of numbers, e.g: messages113.html), as well as the following folders:

• css
• files
• images
• js
• photos
• round_video_messages
• stickers
• video_files

The most interesting information is found in the files folder and the HTML files in the main folder. The files folder contains XLS files, which hold hotel information and guest reservation check-in details from hotels. Among the information identified, we've been able to verify that there are details like booking number, guest name, check-in, check-out, rooms, persons, price, payment method, payment status, and remarks.

Figure 13: Sample of information found in the XLS files

Most XLS files follow a naming pattern like Check-in_ 2023-10-06 to 2025-05-12.xls (with the dates changing from one file to another). On the other hand, there are also files named хуетаполная.xls or хуетAU.xls, which translate to "complete bullshit" and "Fuck AU" respectively, but in both cases, they include the same type of information mentioned previously.

Figure 14: Example of XLS files found

In addition to these XLS files, there are also other TXT files in the files folder that follow the pattern of bookings_1714070330.txt (with the numbers changing, which appear to be a timestamp). The content of these TXT files usually has the following format:

ID|Potential Phishing URL|Victim Name and Surname

After analyzing all the TXT files, a total of 4727 entries were found. As an example, with the surname removed from one of the identified files, the structure would be as follows:

4288978392|https://booking-acceptance.id7025952.date/p/469721259|Zdeňka 

1002158967|https://booking-acceptance.id7025952.date/p/252952452|Klaudia 

1765220922|https://booking-acceptance.id7025952.date/p/524802246|Tim 

1765229583|https://booking-acceptance.id7025952.date/p/110390723|Christian 

2286734163|https://booking-acceptance.id7025952.date/p/972626209|Bohdana 

2711402539|https://booking-acceptance.id7025952.date/p/651852046|Beata 

3041886535|https://booking-acceptance.id7025952.date/p/128521414|John 

3189067073|https://booking-acceptance.id7025952.date/p/559744710|Mavroudis

Changing the vision to the HTMLs mentioned earlier, these files contain an extensive log of interactions, seemingly from a system related to booking and transactions. It details various transactions with information such as transaction IDs, services rendered, property names, prices, and critical payment details including card numbers, issuing banks, payment systems (MC, VISA), status, and countries of origin.

Notably, the files also include Telegram links associated with specific worker IDs (e.g., "@dept_sales"), suggesting that these usernames might be related to the transaction in the phishing website. In this way, they ensure they have a worker for each operation to obtain their victims' financial data.

Figure 15: Example of log identified with information about transactions

In our analysis of the HTML files, we have been able to identify a total of 118 unique Telegram accounts that are mentioned throughout these HTML files. Many of these accounts belong to operators who have some involvement in the phishing campaign, as many appear as "Воркер: #klgerkgoergko (@onlycashvvs)", where "Воркер" translates to "worker". We confirmed too that some of these accounts are still available. Next table contains the Telegram accounts discovered

YARA Rules

The following YARA rules can be used in Google Threat Intelligence to monitor activity related to this campaign.

This rule identifies Tier 1 URLs that redirect to the hostname pattern we have identified on Tier 2 domains:

import "vt"

rule Booking_Campaign_Tier1_Redirecting_PhishingTier2_June25 {
  meta:
    target_entity = "url"
    author = "GTI"
    sample_url = "http://hostelmandarinkauxeh.eto-la.com/"
    date = "2025/06/23"
    description = "This rule identifies Tier 1 URLs that redirect to the hostname pattern we have identified on Tier 2 domains."
    //query_gti = entity:url redirects_to:"https://booking.confirmation-*" and not hostname:"booking.confirmation-"
  condition:
    for any vt_net_url_redirects in vt.net.url.redirects: (
      vt_net_url_redirects contains "https://booking.confirmation-id"
    ) and not
    vt.net.url.hostname startswith "booking.confirmation-id"
}

This rule identifies Tier 1 URLs that meet a set of metadata identified in the titles and meta tags of the HTML:

import "vt"

rule Booking_Campaign_Tier1_Matching_HTML_Metadata_June25 {
  meta:
    target_entity = "url"
    author = "GTI"
    sample_url = "https://booking.2020000542.world/yzidotc"
    date = "2025/06/23"
    description = "This rule identifies Tier 1 URLs that meet a set of metadata identified in the titles and meta tags of the HTML."
    //query_gti = entity:url redirects_to:"https://booking.confirmation-*" and not hostname:"booking.confirmation-"
  condition:
    (
        vt.net.url.html_title istartswith "One moment" or // we have observed different types of dots '.'. With this we ensure to catch all of them"
        vt.net.url.html_title == "AD not found (captcha2)"
    ) and
    (
        for any vt_net_url_html_meta_tags in vt.net.url.html_meta_tags: (
            for any vt_net_url_html_meta_tags_values in vt_net_url_html_meta_tags.values: (
                vt_net_url_html_meta_tags_values istartswith "Booking -" or
                vt_net_url_html_meta_tags_values == "https://ltdfoto.ru/images/2025/06/04/photo_2025-06-02_11-23-22.md.jpg" or
                vt_net_url_html_meta_tags_values startswith "https://cf.bstatic.com/xdata/images/hotel/" 
            )
        )
    ) and not
    (
        vt.net.url.hostname startswith "booking.confirmation-id" or
        vt.net.url.hostname == "booking.com" 
    )

}

This rule identifies domains that match a pattern identified in the campaign:

import "vt"

rule Booking_Campaign_Domains_Tier2_June25  {
  meta:
    target_entity = "domain"
    author = "GTI"
    sample_url = "booking.confirmation-id79508.com"
    date = "2025/06/23"
    description = "This rule identifies domains that match a pattern identified in the campaign."
    //query_gti = entity:domain domain_regex:"^booking\.confirmation-id�0-9]{5}\.com$"
  condition:
    vt.net.domain.raw matches /^booking\.confirmation-id=0-9]{5}\.com$/
}

This rule identifies URLs that match the pattern identified in the Tier 2 infrastructure:

import "vt"

rule Booking_Campaign_Tier2_URLs_June25 {
  meta:
    target_entity = "url"
    author = "GTI"
    sample_url = "https://booking.confirmation-id77351.com/reservation/"
    date = "2025/06/23"
    description = "This rule identifies URLs that match the pattern identified in the Tier 2 infrastructure."
    //query_gti = entity:url hostname:"booking.confirmation-id*"
  condition:
    vt.net.url.new_url and
    vt.net.url.hostname startswith "booking.confirmation-id"
}

Wrapping up

This deep dive into a recent phishing campaign targeting Booking.com users highlights the importance of understanding threat actor tactics for proactive defense. We’ve demonstrated how a single malicious email can unravel a much larger infrastructure, identifying both Tier 1 (redirector) and Tier 2 (phishing content host) domains.

Key takeaways from our analysis include:

• Phishing Distribution: The campaign ingeniously leveraged Booking.com's official messaging system and legitimate email channels, making it highly effective.
• Infrastructure Discovery: By analyzing HTML titles and meta tags, and using patterns in domain names, we were able to identify and categorize a significant number of malicious URLs.
• Campaign Timeline: Activity spiked significantly from January 2025, with May and June being particularly busy, suggesting a recent surge in this specific campaign.
• Redirection Analysis: Over half of the identified URLs acted as redirectors, emphasizing the multi-stage nature of the attack. We also pinpointed key domains used for these redirects.

By applying these threat hunting methodologies and utilizing tools like Google Threat Intelligence and Google Colab, organizations and individuals can enhance their ability to detect and research similar campaigns. This detailed investigation provides actionable insights that can be translated into more robust security measures and YARA rules to counter evolving attack techniques.

We have created a collection in Google Threat Intelligence to share the IOCs that we have discovered during the research.

As always, we are happy to hear your feedback.
 

Other entries in the series Actionable threat hunting with Google Threat Intelligence

Actionable threat hunting with GTI (II) - Analyzing a massive phishing campaign - Part 1

Actionable threat hunting with GTI (II) - Analyzing a massive phishing campaign - Part 2