As the world stays tuned for the latest updates related to the ongoing 2026 FIFA World Cup set to end on 19 July 2026, Group-IB spotted GHOST STADIUM, a Chinese-speaking, financially motivated group running a sophisticated phishing campaign using more than 300 domains.

The researchers noted GHOST STADIUM’s pixel-perfect clone of the official FIFA website complete with a replicated single sign-on (SSO) authentication flow and multilanguage support. They estimated that the campaign could result in potential financial losses from premium ticket fraud alone amounting to US$71—474 million.

Group-IB’s in-depth GHOST STADIUM investigation identified 48 network IoCs comprising domains and IP addresses. We weeded out the domain IoCs deemed to be likely legitimate or inactive by our tools after querying them on the WhoisXML API MCP Server. That left us with 47 IoCs comprising 33 domains and 14 IP addresses for our own analysis.

Our DNS deep dive into the GHOST STADIUM campaign led to these discoveries:

• 14 of the domain IoCs that appeared in seven typosquatting groups with 3–8 members each
• Three of the domain IoCs that were likely registered with malicious intent
• 607 unique IP addresses that could belong to victims that communicated with 13 of the IP IoCs
• 3,083 email-connected domains, one of which was confirmed malicious
• 36 additional IP addresses, all of which were confirmed malicious
• 15 IP-connected domains
• 544 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

GHOST STADIUM Domain IoCs in the DNS Spotlight

We began our DNS foray into the GHOST STADIUM attack by taking a closer look at the 33 domain IoCs.

First, we queried the domain IoCs on Typosquatting API and discovered that 14 of them appeared in seven typosquatting groups with 3—8 members each bulk-registered between 18 May 2022 and 25 March 2026.

Three typosquatting groups had several domain IoCs as members, hinting that they could be part of the same threat infrastructure. Take a look at more information about them below.

We also learned that three of the domain IoCs were likely registered with malicious intent 161—923 days before they were reported as IoCs on 27 May 2026. The First Watch Malicious Domains Data Feed result for the domain fifa[.]center, for instance, revealed that it was deemed likely to turn malicious when it was created on 16 November 2023, 923 days before the Group-IB report was published.

Next, we queried the domain IoCs on WHOIS API and found out that:

• They were created between 23 May 2025 and 17 April 2026, making them all relatively new when they were deployed as attack vectors.

  

• They were administered by five different registrars.

  

• While two did not have registrant countries on record, the remaining 31 were registered in four different countries.

  

We then queried the domain IoCs on DNS Chronicle API and discovered that 31 of them recorded 1,508 historical domain-to-IP resolutions over time. Here are more details about five examples.

Interestingly, all 31 domain IoCs with historical domain-to-IP resolutions continued to post resolutions this year.

GHOST STADIUM IP IoCs under the DNS Microscope

Next, we zoomed in on the 14 IP IoCs.

Sample network traffic data from the IASC revealed that 607 unique IP addresses potentially owned by victims under 43 distinct ASNs communicated with 13 of the IP IoCs between 7 December 2025 and 4 June 2026.

Our Bulk IP Geolocation Lookup results for the IP IoCs showed that:

• They were geolocated in two countries, both of which were also among the domain IoCs’ registrant countries.

  

• While two did not have ISPs on record, the remaining 12 were administered by four different entities.

  

We then queried the IP IoCs on DNS Chronicle API and found out that, together, they recorded 2,294 historical IP-to-domain resolutions over time. Take a look at more information for five examples below.

As of this writing, seven of the IP IoCs with historical IP-to-domain resolutions continued to record resolutions this year.

The Hunt for New GHOST STADIUM Artifacts

We started our search for potentially connected artifacts by querying the domain IoCs on WHOIS History API. We discovered that 10 of them had email addresses in their historical records. We collated 28 unique email addresses in all, and upon further scrutiny, learned that 12 were public email addresses.

Reverse WHOIS API queries for the public email addresses showed that 11 had connections. Together, they led to the discovery of 3,083 unique email-connected domains after those already tagged as IoCs were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.