Current OTX Pulse data highlights a diverse threat landscape converging on credential harvesting and remote access. We observe a high-precision, event-based phishing operation by the GHOST STADIUM actor targeting the 2026 FIFA World Cup, utilizing Vidar and Lumma stealers. Parallel to this, the Y2K Operators are actively marketing and deploying the rewritten Millenium RAT (v4.*) via a Malware-as-a-Service (MaaS) model, now leveraging Telegram for C2 to avoid infrastructure takedowns. Simultaneously, the long-standing LokiBot infostealer remains active, delivered through malspam campaigns utilizing JScript attachments to bypass initial filters. Collectively, these campaigns emphasize a trend toward "Stealer-as-a-Service" and sophisticated social engineering to bypass perimeter defenses.
Threat Actor / Malware Profile
GHOST STADIUM
- Actor Profile: Chinese-speaking threat actor specializing in large-scale event fraud.
- Malware: Vidar (Loader/Stealer), Lumma (Stealer).
- Methodology: Operates over 300 fraudulent domains utilizing pixel-perfect clones of FIFA authentication systems. Exploits Facebook ads to drive traffic.
- Objective: Credential harvesting for financial gain and potential follow-up ransomware deployment via access brokers.
Y2K Operators / Millenium RAT
- Actor Profile: Developer 'ShinyEnigma' selling access for $50-90 USD.
- Malware: Millenium RAT (v4.*), AsyncRAT, XWorm.
- Methodology: Architectural rewrite from .NET to native C++. Uses Telegram Bot API for Command and Control (C2), eliminating the need for dedicated VPS infrastructure.
- Objective: Remote access, surveillance, and data exfiltration sold as a service.
LokiBot
- Actor Profile: Unknown (Commodity malware).
- Malware: LokiBot (S0447).
- Methodology: Distributed via malspam with JScript email attachments. Multi-stage infection chain designed to evade static analysis.
- Objective: Credential theft from browsers, crypto wallets, email/FTP clients.
IOC Analysis
The intelligence gathered reveals three distinct indicator sets requiring immediate attention:
- Typosquatting & Fraudulent Domains (GHOST STADIUM): High volume of domains mimicking official FIFA infrastructure (e.g.,
fifa.gold,fifa.black,fifaweb.com). These are used for credential phishing. - Malware Delivery Infrastructure (Millenium RAT): Specific domains hosting malicious payloads (
blackhatusa.com) and associated file hashes (SHA256:ccca11a6d5835999c40a0a5264084b3740633600c157754fad2ef59559e31736). The IP62.60.226.97serves as a node in this campaign. - Infostealer C2 & Delivery (LokiBot): The
alphastand.[trade|win|top]domain cluster is actively serving payloads and exfiltration data. The IP158.94.211.95is associated with this activity.
Operational Guidance:
- Block all listed domains at the DNS/Web Proxy layer immediately.
- Import file hashes into EDR quarantine lists.
- Correlate the
alphastanddomains with outbound traffic logs to identify active C2 beacons.
Detection Engineering
Sigma Rules
YAML
title: Potential GHOST STADIUM Phishing Domain Connection
id: 85a9b2c4-1234-4567-89ab-cdef12345678
description: Detects network connections to known GHOST STADIUM fraudulent FIFA domains observed in OTX Pulse.
author: Security Arsenal
date: 2026/06/29
modified: 2026/06/29
status: experimental
tags:
- attack.credential_access
- attack.initial_access
logsource:
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'fifa.gold'
- 'fifa.black'
- 'fifa.tax'
- 'fifaweb.com'
- 'fifa.red'
- 'fifa.fund'
- 'fifa-com.shop'
- 'fifa-com.site'
condition: selection
falsepositives:
- Legitimate traffic to unrelated domains (unlikely given specific TLDs)
level: high
---
title: Millenium RAT Malware Download Indicator
id: 95a9b2c4-2234-4567-89ab-cdef12345679
description: Detects file creation or download from known Millenium RAT delivery domain blackhatusa.com.
author: Security Arsenal
date: 2026/06/29
modified: 2026/06/29
status: experimental
tags:
- attack.command_and_control
- attack.execution
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'blackhatusa.com'
condition: selection
falsepositives:
- Legitimate software downloads (unlikely)
level: critical
---
title: LokiBot JScript Malspam Execution Pattern
id: 06a9b2c4-3234-4567-89ab-cdef1234567a
description: Detects execution of JScript files by wscript.exe or cscript.exe, a common vector for LokiBot malspam.
author: Security Arsenal
date: 2026/06/29
modified: 2026/06/29
status: experimental
tags:
- attack.initial_access
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains: '.js'
filter_legit:
ParentImage|contains:
- '\Program Files'
- '\Windows\System32'
condition: selection_img and selection_cli and not filter_legit
falsepositives:
- Administrative scripts running from temp paths
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for GHOST STADIUM and LokiBot Network Indicators
let IOCs = pack_array('fifa.gold', 'fifa.black', 'fifaweb.com', 'alphastand.trade', 'alphastand.win', 'alphastand.top', 'blackhatusa.com');
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP in ('158.94.211.95', '62.60.226.97')
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| extend ThreatContext = case(
RemoteUrl contains 'fifa', 'GHOST STADIUM Phishing',
RemoteUrl contains 'alphastand', 'LokiBot C2/Download',
RemoteUrl contains 'blackhatusa', 'Millenium RAT Download',
'Unknown IOC')
PowerShell Hunt Script
PowerShell
# IOC Hunt for Active Malware Artifacts
$IOC_Domains = @('fifa.gold', 'fifa.black', 'fifaweb.com', 'alphastand.trade', 'alphastand.win', 'blackhatusa.com')
$IOC_IPs = @('158.94.211.95', '62.60.226.97')
$IOC_Hashes = @('7b6473f036225bc35da89e5049ae55ba', 'ddbc1037925f7d6c07a9ddbe38286a2fcedc4890', 'ccca11a6d5835999c40a0a5264084b3740633600c157754fad2ef59559e31736')
Write-Host "[+] Checking DNS Cache for Malicious Domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $IOC_Domains -contains $_.Entry } | Select-Object Entry, Data
Write-Host "[+] Checking Established Network Connections..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established | ForEach-Object {
$Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$RemoteAddr = $_.RemoteAddress
if ($IOC_IPs -contains $RemoteAddr) {
Write-Host "Suspicious connection to $RemoteAddr found owned by PID $($_.OwningProcess) ($($Process.ProcessName))" -ForegroundColor Red
}
}
Write-Host "[+] Scanning for malicious file hashes (Current User Profile)..." -ForegroundColor Cyan
Get-ChildItem -Path $env:USERPROFILE -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5, SHA256 | Where-Object { $IOC_Hashes -contains $_.Hash } | Select-Object Path, Hash, Algorithm
# Response Priorities
* **Immediate:**
* Block all listed domains (`fifa.*`, `alphastand.*`, `blackhatusa.com`) and IPs (`158.94.211.95`, `62.60.226.97`) on secure web gateways and firewalls.
* Quarantine endpoints exhibiting indicators of compromise (IOCs) from the PowerShell script or Sigma alerts.
* **24 Hours:**
* Initiate credential resets for users who may have interacted with FIFA-related phishing emails or visited the fraudulent domains.
* Review logs for successful authentications or file downloads originating from the `alphastand` or `blackhatusa` infrastructure.
* **1 Week:**
* Update email filtering rules to block JScript attachments (`.js`) and macros to mitigate LokiBot and similar malspam campaigns.
* Conduct user awareness training focusing on event-based fraud (World Cup 2026) and the risks of downloading executables from non-standard domains.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwarevidarlummamillenium-ratlokibotmalspam
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.