Group-IB uncovered GHOST STADIUM, a Chinese-speaking financially motivated phishing operation targeting the 2026 FIFA World Cup with a pixel-perfect fake FIFA website and more than 300 domains. The campaign was linked to extensive infrastructure and could drive premium ticket fraud losses of US$71–474 million. #GHOSTSTADIUM #FIFA #GroupIB
Keypoints
- Group-IB identified GHOST STADIUM as a Chinese-speaking, financially motivated threat group running a sophisticated phishing campaign.
- The operation used a pixel-perfect clone of the official FIFA website, including replicated SSO authentication and multilanguage support.
- The campaign leveraged more than 300 domains and was tied to 47 analyzed network IoCs after filtering.
- Researchers estimated potential premium ticket fraud losses of US$71–474 million.
- DNS analysis found 14 domain IoCs in seven typosquatting groups, suggesting shared threat infrastructure.
- Additional investigation uncovered 3,083 email-connected domains, 15 IP-connected domains, and 544 string-connected domains.
- Network telemetry showed 607 unique victim-associated IP addresses communicating with 13 of the IP IoCs.
MITRE Techniques
- [T1566 ] Phishing – The group used a phishing campaign to lure victims with a fake FIFA site and login flow (‘sophisticated phishing campaign using more than 300 domains’).
- [T1583 ] Acquire Infrastructure – The operation built and used a large malicious domain and IP infrastructure (‘using more than 300 domains’ and typosquatting groups).
- [T1584 ] Compromise Infrastructure – The fake FIFA website closely replicated the official site and SSO flow to support the deception (‘pixel-perfect clone of the official FIFA website complete with a replicated single sign-on (SSO) authentication flow’).
- [T1036 ] Masquerading – The domains impersonated FIFA-related names through typosquatting and lookalike registrations (‘fifa-com[.]site’, ‘www-fifa[.]com[.]co’).
Indicators of Compromise
- [Domains ] phishing and typosquatting infrastructure – fifa-com[.]site, fifa-com[.]co, fifa[.]center, fifaweb[.]com, www-fifa[.]com[.]co
- [IP Addresses ] network infrastructure and historical resolutions – 137[.]220[.]224[.]67, 104[.]225[.]235[.]49, and other 12 IP IoCs
- [Email Addresses ] historical WHOIS artifacts tied to related domains – 28 unique email addresses, including 12 public email addresses
- [Domain-to-IP Resolutions ] DNS Chronicle historical mappings for domains – fifaweb[.]com (262), fifa[.]center (193), and other 29 domains
- [IP-to-Domain Resolutions ] DNS Chronicle historical mappings for IPs – 137[.]220[.]224[.]67 (1,000), 104[.]225[.]235[.]49 (329), and other 12 IPs
Read more: https://circleid.com/posts/dns-deep-dive-ghost-stadium-takes-advantage-of-fifa-2026