Excerpt: Three active threats: FortiBleed FortiGate harvester, multi-stage stego loaders (Remcos/Agent Tesla), and Ghost Stadium FIFA fraud.
Threat Summary
Live OTX data from June 26, 2026, indicates a convergence of high-volume credential theft and sophisticated malware delivery mechanisms. The threat landscape is dominated by three distinct campaigns:
- FortiBleed (CyberStrike Harvester): A large-scale operation targeting internet-facing FortiGate SSL VPNs. This campaign leverages a "credential factory" approach, utilizing password spraying and the CyberStrike Harvester v1.5 to capture configurations for offline cracking via hashcat.
- Steganographic Loader Campaign: A "loader-as-a-service" ecosystem utilizing steganography to hide payloads within documents. This campaign targets the financial sector (specifically India) and delivers a wide range of payloads including Remcos RAT, Agent Tesla, Formbook, and RedLine Stealer using fileless techniques.
- GHOST STADIUM: A Chinese-speaking threat actor targeting the 2026 FIFA World Cup. This operation utilizes a phishing-as-a-service model, deploying Vidar and Lumma stealers via pixel-perfect clones of FIFA authentication pages to harvest credentials and facilitate ticket/cryptocurrency fraud.
Collectively, these campaigns demonstrate a shift towards harvesting high-value credentials (VPN access, financial banking, and event ticketing) using obfuscation (steganography) and infrastructure abuse (fraudulent domains).
Threat Actor / Malware Profile
CyberStrike Harvester (FortiBleed)
- Type: Credential Harvester / Cracking Tool
- Distribution: Direct exploitation/scanning of FortiGate SSL VPN interfaces.
- Behavior: Attempts authentication via credential stuffing; harvests configuration files for offline cracking.
- Objective: Access to corporate network perimeter devices.
Steganographic Loader
- Type: Multi-Stage Loader
- Distribution: Phishing emails with archive attachments (e.g., .zip, .rar) masquerading as financial documents (GST, NEFT).
- Behavior: Uses steganography to embed malicious code within image files or document properties. Executes payloads in-memory to evade disk-based scanning.
- Payloads: Remcos RAT, Agent Tesla, MassLogger, Phantom Stealer, Formbook, xWorm.
- Persistence: Registry run keys, scheduled tasks.
GHOST STADIUM
- Type: Phishing-as-a-Service / Fraud Ring
- Distribution: Facebook ads and SEO poisoning directing to spoofed domains.
- Behavior: Clones FIFA authentication flows; distributes Vidar and Lumma stealers.
- Objective: Credential harvesting for ticket fraud and cryptocurrency theft.
IOC Analysis
The provided IOCs span three distinct vectors requiring different operational approaches:
- IPv4 (FortiBleed):
85.11.187.8,193.8.187.42.- Action: Immediate block on perimeter firewalls and proxy servers. Review firewall logs for historical connections to these IPs.
- Domains (GHOST STADIUM):
fifa.gold,fifa.black,fifa.tax,fifaweb.com, etc.- Action: Add to DNS sinkhole (RPZ) and web proxy blocklists. Monitor internal DNS requests for these domains to identify infected hosts.
- File Hashes (Stego Loader): Multiple MD5, SHA1, and SHA256 hashes associated with the loader and payloads.
- Action: Import into EDR detection rules. Initiate a historical scan for the presence of these hashes on user endpoints and file shares.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Steganographic Loader Activity
id: 5b0f9c8d-1234-5678-9abc-1a2b3c4d5e6f
description: Detects PowerShell scripts loading image files or using System.Drawing.Bitmap, techniques often used in steganographic loaders like those distributing Agent Tesla or Remcos.
status: experimental
date: 2026/06/26
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'System.Drawing.Bitmap'
- 'FromBase64String'
- 'IO.MemoryStream'
filter:
CommandLine|contains:
- 'Microsoft.Update'
- 'WindowsUpdate'
condition: selection and not filter
falsepositives:
- Legitimate administrative scripts
level: high
tags:
- attack.defense_evasion
- attack.t1027
- steganography
---
title: FortiBleed C2 Infrastructure Connection
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects network connections to known IP addresses associated with the FortiBleed CyberStrike Harvester campaign.
status: experimental
date: 2026/06/26
author: Security Arsenal
logsource:
product: zeek
service: conn
detection:
selection:
dest.ip:
- '85.11.187.8'
- '193.8.187.42'
condition: selection
falsepositives:
- None
level: critical
tags:
- attack.command_and_control
- attack.c2
- fortibleed
---
title: GHOST STADIUM Phishing Domain Access
id: e5f6g7h8-9012-3456-7890-abcdef123456
description: Detects DNS requests or HTTP connections to domains identified in the GHOST STADIUM FIFA World Cup fraud campaign.
status: experimental
date: 2026/06/26
author: Security Arsenal
logsource:
product: windows
service: dns
detection:
selection:
EventID: 22
QueryName|contains:
- 'fifa.gold'
- 'fifa.black'
- 'fifa.tax'
- 'fifaweb.com'
- 'fifa.red'
- 'fifa.fund'
condition: selection
falsepositives:
- Legitimate FIFA access (unlikely for these specific TLDs)
level: high
tags:
- attack.initial_access
- attack.t1566
- phishing
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Ghost Stadium Network Activity and Steganographic Loader Process Creation
let GhostDomains = dynamic(["fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund", "fifa-com.shop", "fifa-com.site"]);
let FortiBleedIPs = dynamic(["85.11.187.8", "193.8.187.42"]);
union DeviceNetworkEvents, DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(7d)
| where
(RemoteUrl in~ (GhostDomains)) or
(RemoteIP has_any (FortiBleedIPs)) or
(ProcessCommandLine has "System.Drawing.Bitmap") or
(ProcessCommandLine has "IO.MemoryStream")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteUrl, RemoteIP, ActionType
| extend IoCType = iff(RemoteUrl in~ (GhostDomains), "Ghost Stadium Domain",
iff(RemoteIP has_any (FortiBleedIPs), "FortiBleed IP",
"Stego Loader Suspicious Process"))
PowerShell Hunt Script
PowerShell
# IOC Hunter for FortiBleed, Stego Loaders, and Ghost Stadium
# Requires Administrative Privileges
Write-Host "[+] Starting IOC Hunt..." -ForegroundColor Cyan
# 1. Check for File Hashes (Stego Loader Samples)
$TargetHashes = @(
"7f74bb6ba185978134c318bc5f91d23c", # MD5
"268a8420b791df46380ed9ad69905207e15d8a7c", # SHA1
"2758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98", # SHA256
"372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985" # SHA256
)
Write-Host "[*] Scanning for malicious file hashes (C:\ drive only)..." -ForegroundColor Yellow
$Matches = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -ErrorAction SilentlyContinue | Where-Object { $TargetHashes -contains $_.Hash }
if ($Matches) {
Write-Host "[!] ALERT: Malicious files found:" -ForegroundColor Red
$Matches | Format-Table Path, Hash, Algorithm
} else {
Write-Host "[-] No malicious files found on C:\." -ForegroundColor Green
}
# 2. DNS Cache Check for Ghost Stadium Domains
$BadDomains = @("fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund")
Write-Host "[*] Checking DNS Cache for Ghost Stadium domains..." -ForegroundColor Yellow
$DnsCache = Get-DnsClientCache | Where-Object { $BadDomains -contains $_.Entry }
if ($DnsCache) {
Write-Host "[!] ALERT: Suspicious DNS cache entries found:" -ForegroundColor Red
$DnsCache | Format-Table Entry, Data, TimeToLive
} else {
Write-Host "[-] No suspicious DNS cache entries." -ForegroundColor Green
}
# 3. Active Network Connections for FortiBleed IPs
$BadIPs = @("85.11.187.8", "193.8.187.42")
Write-Host "[*] Checking active TCP connections for FortiBleed IPs..." -ForegroundColor Yellow
$Connections = Get-NetTCPConnection -State Established | Where-Object { $BadIPs -contains $_.RemoteAddress }
if ($Connections) {
Write-Host "[!] ALERT: Active connections to FortiBleed infrastructure found:" -ForegroundColor Red
$Connections | Format-Table LocalAddress, RemoteAddress, State, OwningProcess
} else {
Write-Host "[-] No active connections to FortiBleed IPs." -ForegroundColor Green
}
Write-Host "[+] Hunt complete." -ForegroundColor Cyan
Response Priorities
Immediate (0-4 hours)
- Block IOCs: Push all listed IPs and Domains to perimeter firewalls, secure web gateways, and endpoint detection systems.
- Hunt for Artifacts: Run the provided PowerShell script on critical endpoints and servers to detect active compromises.
- Quarantine: Isolate any endpoints returning positive hits for the Stego Loader file hashes or active connections to FortiBleed IPs.
Within 24 Hours
- Credential Audit: If FortiGate infrastructure is present, audit SSL VPN logs for the last 30 days for failed login anomalies or successful logins from the FortiBleed IP ranges.
- Password Reset: Force a password reset for any accounts suspected of being compromised via the GHOST STADIUM phishing campaign or the Stego Loader infostealers.
- Investigate Persistence: Check for scheduled tasks or registry run keys associated with the Remcos/Agent Tesla payloads on infected hosts.
Within 1 Week
- Architecture Hardening: Review FortiGate configurations; ensure MFA is enforced for all SSL VPN access and that non-administrative access is restricted.
- Mail Filtering: Update email gateway rules to block archive attachments (.zip, .rar) containing financial documents, specifically targeting GST/NEFT-themed lures.
- User Awareness: Brief finance and administrative teams on the specific FIFA World Cup phishing themes and the indicators of the financial document steganography campaign.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwarefortibleedghost-stadiumsteganographyvidar-stealerremcos-rat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.