The 2026 FIFA World Cup is a once-in-a-generation opportunity, and threat actors have already begun capitalizing on it. The 2026 FIFA World Cup, set to kick off on June 11, has already broken records for the most host nations, the most matches, and the highest amount of prize money to date for winning teams. Arctic Wolf set out to proactively investigate the criminal ecosystem surrounding the tournament. Our observations reveal that malicious infrastructure was already in place and fully operational months before kickoff, that it is overwhelmingly mobile-first, and that it has expanded its scope beyond defrauding fans, to directly targeting the people and organizations running the event.
The single most important technical finding for defenders is that MFA is not, by itself, protecting World Cup-adjacent organizations. One fake-careers phishing kit we found runs a real-time adversary-in-the-middle (AiTM) relay that consumes a victim’s one-time code within seconds of it being issued, inside the attacker’s own login session, which shows that multi-factor authentication codes are being defeated in transit.
The research presented in this report is based on our continuous monitoring of newly registered, World Cup-themed domains since January 2026; our tracking of suspect WhatsApp, Telegram, and Discord channels promoted across social media; our static and dynamic analysis of recovered malware samples; and infrastructure we found pivoting on FIFA branding and shared artifacts. Note that where we describe an attack chain, this reflects directly observed behavior of recovered samples and live infrastructure, not theoretical modeling. All findings in this report are referential.
One core pattern is consistent across nearly everything we observed: A post on social media links to an external platform (usually WhatsApp, Telegram, or Discord); the actual scheme or scam lives inside the messenger, not on social media.
This indirection is deliberate, and it works on two levels. On the social media platform, the link points only to a messenger invite, so the post itself stays “clean,” evades takedown, and keeps pulling in new victims. Inside the messenger, the operator has more room to maneuver, which they use to their advantage. Mobile devices are generally less protected against phishing, and (critically) users tend to place more trust in content they see on a phone than on their desktop. Since there is less general public awareness around how mobile malware works, fans may be less likely to stop and consider that a mobile link could carry malware or cost them money.
Figure 1: Ad for FIFA World Cup match services shown on WhatsApp.
The lures themselves cluster around a handful of themes crafted to sound irresistible to fans: free match streaming, bets to “predict the winner,” cheap ticket purchases, and various cryptocurrency angles tied to the tournament. The vast majority of the destination sites appear to be generated with AI.
In practice, the least painful outcome for fans is the installation of adware on their device or the loss of money through a fraudulent online payment. The outcomes get worse from there.
A recurring design choice we kept finding is for the cybercriminal to delay executing the malicious payload until the victim is under time pressure, and (in theory) less able to think critically. Rather than burning malicious links weeks in advance, several channels and groups we observed simply asked users to subscribe now, with the promise that they would post the direct stream link five minutes before kickoff. (“Get stream links instantly. 5 minutes before every match“, claimed one lure.)
When a match is about to start, fans are likely in a state of high excitement and may not stop to verify whether a link is malicious. So they click the link, accept every “yes” prompt the page spawns, and try to watch the match while in the background, their device is being quietly compromised. We also expect a meaningful share of World Cup threats to materialize during the tournament, with malicious links pushed minutes before – or even during – matches.
Figure 2: This “Five minutes prior” lure bets on excited fans failing to verify links before clicking.
The consumer-facing side of this cybercriminal ecosystem is broad, but one mobile sample illustrates how early and how seriously some actors are investing in it.
Roughly six months before the tournament, a mobile threat distributed under the guise of buying World Cup tickets was being served from the site aaworldcuptickets[.]com as FIFA_WorldCup_Tickets.apk. This Android-targeting package is a multi-stage loader: a primary classes.dex decrypts a first-stage DEX, which in turn decrypts a second-stage DEX. Its main payload performs cryptocurrency mining from the infected device, beaconing to command-and-control infrastructure under the domain fud2026[.]com, including a mining pool on port 9000.
The same domain was previously observed in attacks in Brazil and India, suggesting an established operator repurposing infrastructure for the World Cup. Full hashes and C2 are in the IOC table in our public GitHub repository.
The more novel, and arguably more serious, finding is that attackers are going after the organizers and the broader supply chain of the event itself.
Philadelphia is one of 11 US host cities out of 16 total across the US, Canada, and Mexico, and will host six matches at Lincoln Financial Field. We recovered a purpose-built PDF that directly targets people working on the games in that city: a three-page document titled “Employee Handbook – Understanding employment at FIFA World Cup 26 Philadelphia.” It is styled with the Liberty Bell and a credible HR layout, and its metadata names the city’s legitimate tourism organization (discoverphl.com) and an intended recipient inside.
Figure 3: Philadelphia “Employee handbook” targeting the people working on the games in the city.
The payload is delivered by the technique of QR-code phishing, known as quishing. The document ends by asking the victim to scan a QR code “to access the digital version of the handbook,” complete with a friendly step-by-step guide to opening their camera and tapping the (malicious) link. On a mobile device, which is typically less protected than a desktop, that QR code redirects the victim onward to malicious resources.
Figure 4: Malicious QR code at the back of the Philadelphia “Employee Handbook” fake document.
Several details are of note regarding this malicious PDF document:
<</Title (64cbf60f4d3853579576d909efb4eeec.html) /Creator (Mozilla/5.0 \(Windows NT 10.0; Win64; x64\) AppleWebKit/537.36 \(KHTML, like Gecko\) HeadlessChrome/139.0.0.0 Safari/537.36) /Producer (Skia/PDF m139) /CreationDate (D:20250916174018+00'00') /ModDate (D:20250916174018+00'00')>>
Because the delivery pattern is generic (PDF → QR code → malicious resource opened on a less-protected mobile device), it is likely that other host cities have been targeted with comparable lures.
Pivoting on the FIFA logo and branding led us to a cluster of lure domains built specifically to impersonate those “hiring at FIFA.” As of 28 May 2026, we identified ten such domains (full list available on our public GitHub), for example fifa-careerpath[.]com, fifahiring[.]com, and jobs-fifa[.]com.
Figure 5: Real Google Calendar invite to a fake meeting with a “FIFA recruiter”, whose identities may either be fake or stolen from LinkedIn.
Their objective is theft of corporate Google Workspace accounts, and this kit is far more advanced than the typical static credential-capture page. Everything communicates with a single backend, hosted at hxxps://fifeq2026eqbackeq[.]onrender[.]com, where the eq strings are filler inserted to obscure what otherwise reads as “fifa2026back.”
The chain unfolds in five distinct phases:
Figure 6: Theft of corporate Google Workspaces: attack chain.
Why MFA doesn’t help here: The second factor is consumed within seconds of being issued, inside the attacker’s session. One-time codes and SMS/email approvals provide no protection against this design. Only phishing-resistant authentication (such as passkeys or FIDO2/WebAuthn hardware keys, which are cryptographically bound to the target’s legitimate origin) breaks the relay.
Figure 7: Lure-graphic advertising ticket prices for the World Cup 2026.
Users who shop for tickets from a traditional Windows desktop machine are not safe either. We analyzed a malicious archive with a lure-graphic that advertises “Ticket Prices World Cup 2026” (see above). The chain is straightforward but effective: a delivered file masquerading as WorldCup_Tickets_Viewer?gnp.exe unpacks an obfuscated batch script (datafacebook_obf.bat) alongside a decoy JPEG. When the batch file runs, it drops a UPX-packed executable that functions as a comprehensive infostealer.
Figure 8: Malicious archive content for the decoy advert shown in Figure 7.
Once the machine is infected, it harvests browser secrets (cookies, saved passwords, autofill and payment-profile data, browsing and search history), messaging and session material (Discord tokens, Telegram tdata), clipboard contents and a desktop screenshot, saved Wi-Fi profiles and passwords, and a wide range of application credentials, such as Steam session data, FileZilla credentials, PuTTY keys and sessions, and WinSCP / KeePass / 1Password-related data. All stolen data is then exfiltrated to attacker-controlled Telegram and Discord channels. The hashes from this attack can be found in our public GitHub repository.
Since January 2026, we have catalogued more than 10,000 new domains registered under the broad umbrella of the World Cup, approximately 2000 new domains per month. The majority are not likely malicious, but the sheer volume of new domains, combined with generative AI (used to spin up sites, write content, and even produce applications), the cost of launching credible, distinct lures has collapsed. Automation of these types of attacks has reached a new level, and the volume alone makes manual triage by defenders impractical.
Several of the threats we investigated are designed to peak during the event itself. We anticipate a surge of last-minute “free stream” links pushed in the minutes before and during matches; continued quishing against host-city staff and vendors as more cities are operationally activated; and sustained AiTM phishing against any organization whose Google Workspace footprint can be tied to the tournament. The desktop infostealer threat will track ticket demand. In short, the activity we are seeing now is a rehearsal; the main event for attackers coincides with the main event for everyone else.
Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers. We have leveraged threat intelligence around this threat activity to enhance detections in the Aurora® Superintelligence Platform, subject to customer environment and available telemetry.
As we track this campaign and discover new information, we may further refine our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the threat group behind this malicious activity.
Attackers are not waiting for the opening match to kick off before starting their attacks. Months ahead of the 2026 FIFA World Cup, a mature criminal ecosystem is already silently monetizing the event across every layer of defense – and it has expanded from defrauding fans to compromising the very organizations that run the games.
The strategy is simple. Lures stay clean on social media and pull victims into their messengers, where mobile-first delivery exploits weaker defenses and higher user trust. Some are timed to detonate at the moment of least scrutiny, typically five minutes before kickoff, when fan excitement is at its highest level. The targets now include host-city staff, reached through quishing in convincing HR-themed documents, and any organization on Google Workspace, accessed through a phishing kit that defeats conventional MFA in real time. Meanwhile, the classic Windows infostealer continues to drain fan credentials and session material to Telegram and Discord. Generative AI underwrites all of the above, collapsing the cost of producing thousands of distinct, credible domains, sites, and apps.
For defenders, the priorities here are clear: adopt phishing-resistant authentication immediately, treat QR codes and “do not forward” pressure as inherently hostile, hunt the domain clusters described here, and share indicators across host cities; we believe that the generic delivery patterns we observed almost certainly point to parallel campaigns we have not yet seen.
The activity documented in this report is a dress rehearsal. The main event for attackers will coincide with the main event for the rest of the world.
For additional Appendix sections referenced in this report, including Indicators of Compromise, File Hashes, Phishing Domains, Behavioral/ Exfiltration Indicators and more, please see our public GitHub repository.
Legal disclaimer: Attribution reflects Arctic Wolf Labs’ assessment as of the report period and may evolve with new evidence. References to threat actor identity, nexus, and intent are analytical judgments, not statements of legal fact. This alert is provided for informational purposes only and does not constitute a guarantee of detection or prevention. Defensive effectiveness varies by environment, configuration, and available telemetry.
Additional Arctic Wolf Resources:
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.
Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。