Back to Intelligence

OTX Pulse Analysis: GHOST STADIUM, JINX-0164, and Bumblebee — Credential Theft & Ransomware Operations

SA
Security Arsenal Team
July 1, 2026
6 min read

Threat Summary

The latest OTX pulses indicate a aggressive convergence of initial access vectors aimed at harvesting high-privileged credentials and facilitating ransomware deployment. Threat actors are combining high-volume social engineering (GHOST STADIUM) with highly targeted technical exploits (RMM vulnerabilities, SEO poisoning).

The GHOST STADIUM campaign represents a massive "Phishing-as-a-Service" operation targeting the 2026 FIFA World Cup, utilizing pixel-perfect clones of official infrastructure to distribute Vidar and Lumma stealers. Simultaneously, financially motivated actors like JINX-0164 are conducting LinkedIn-based social engineering against cryptocurrency entities to deliver custom macOS malware (AUDIOFIX, MINIRAT).

On the technical exploitation front, threat actors are actively exploiting CVE-2026-48558 in SimpleHelp RMM to deploy TaskWeaver and Djinn Stealer, while Bumblebee loaders are being distributed via SEO poisoning of IT tools (ManageEngine) to ultimately deliver Akira ransomware. The collective objective is rapid credential theft for lateral movement and financial extortion.

Threat Actor / Malware Profile

Actor/MalwareDistributionPayload BehaviorC2 & Persistence
GHOST STADIUMFacebook Ads, fraudulent domains (fifa.*)Vidar/Lumma Stealers (Cookie/Password theft)Pixel-perfect phishing kits; credential exfiltration to actor-controlled domains.
nJINX-0164LinkedIn Social Engineering (Recruiter personas)AUDIOFIX (Python Infostealer), MINIRAT (Go Backdoor)
nBumblebee / AkiraSEO Poisoning (Bing Search), Trojanized InstallersLoads via DLL side-loading; conducts credential dumping; deploys Akira ransomware
nTaskWeaver / DjinnExploitation of CVE-2026-48558 (SimpleHelp RMM)TaskWeaver (Node.js Loader), Djinn Stealer

IOC Analysis

The provided IOCs span multiple infrastructure types indicative of a multi-stage kill chain:

  • Domains & Hostnames: A mix of "Typosquatting" (e.g., fifa.gold, opmanager.pro) and credential-harvesting infrastructure (e.g., login.teamicrosoft.com). SOC teams should immediately block these at the DNS layer and inspect historical logs for any resolved connections.
  • File Hashes: Includes MD5, SHA1, and SHA256 hashes for trojanized installers (ManageEngine), obfuscated loaders (Node.js), and macOS payloads. These should be added to EDR allowlist/blocklist configurations.
  • IPv4 Addresses: Several C2 IPs (e.g., 172.96.137.160, 45.207.216.55) are associated with malware delivery and RCE callback. Firewall egress rules should be updated to deny traffic to these subnets.
  • CVEs: CVE-2026-48558 (SimpleHelp) and CVE-2026-55255 (Langflow) represent the primary exploitation vectors. Vulnerability scanning is required to identify unpatched RMM and AI development instances.

Detection Engineering

Sigma Rules

YAML
title: Potential GHOST STADIUM Phishing Domain Connection
id: 8d42f1a4-5b6c-4a9e-8f1d-3b2c4d5e6f7a
description: Detects DNS queries to known fraudulent FIFA World Cup domains associated with the GHOST STADIUM campaign.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64f12a3b1c8a9b0012345678
tags:
    - attack.credential_access
    - attack.initial_access
logsource:
    category: dns
product: windows
detection:
    selection:
        QueryName|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'faweb.com'
            - 'fifa.red'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Bumblebee Loader Execution via Trojanized Installer
id: 9e53g2b5-6c7d-5b0f-9g2e-4c3d5e6f7g8b
description: Detects execution of known malicious file hashes associated with the Bumblebee loader distributed via trojanized ManageEngine installers.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64e02a2b0b7a8a0011223344
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: windows
detection:
    selection_hash:
        Hashes|contains:
            - 'a746da514c90f26a187a294fda7edc1b' # MD5
            - 'bcee0ab10b23f5999bcdb56c0b4a631a' # MD5
    selection_img:
        Image|endswith:
            - '\OpManager.exe'
            - '\ManageEngine.exe'
    condition: 1 of selection*
falsepositives:
    - Legitimate ManageEngine usage (verify hash)
level: critical
---
title: RMM Exploitation via SimpleHelp (CVE-2026-48558)
id: 1a74h3c6-7d8e-6c1g-0h3f-5d4e6f7g8h9c
description: Detects suspicious child process spawning from SimpleHelp RMM software, indicative of CVE-2026-48558 exploitation or TaskWeaver deployment.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64c93c1c0c6b7b0022110099
tags:
    - attack.exploitation
    - attack.lateral_movement
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - '\SimpleHelp.exe'
            - '\SimpleControl.exe'
    selection_child:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
            - '\cmd.exe'
            - '\python.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator troubleshooting via RMM
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for GHOST STADIUM and JINX-0164 Domain Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'fifa.gold', 'fifa.black', 'fifa.tax', 'faweb.com', 'fifa.red', 
    'driver-updater.net', 'live.ong', 'angryipscanner.org', 'opmanager.pro'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend ThreatIntel = 'OTX Pulse 2026-07-01'
;

// Hunt for Bumblebee/TaskWeaver File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    'a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2',
    '00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c',
    'f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc',
    'b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17'
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName
| extend ThreatIntel = 'OTX Pulse 2026-07-01'

PowerShell Hunt Script

PowerShell
# OTX Pulse IOC Hunter - 2026-07-01
# Hunts for file artifacts and suspicious network connections

$MaliciousHashes = @(
    'a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2', # Bumblebee
    '00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c', # TaskWeaver
    'f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc', # Djinn Stealer
    'b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17'  # AUDIOFIX
)

$SuspiciousDomains = @(
    'fifa.gold', 'fifa.black', 'angryipscanner.org', 'driver-updater.net'
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Check common download and temp directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { 
            $MaliciousHashes -contains $_.Hash 
        } | ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking DNS Cache for suspicious domains..." -ForegroundColor Cyan

Get-DnsClientCache -ErrorAction SilentlyContinue | Where-Object { 
    ($SuspiciousDomains | ForEach-Object { $_ }) -like $_.Entry 
} | ForEach-Object {
    Write-Host "[!] SUSPICIOUS DNS ENTRY: $($_.Entry) -> $($_.Data)" -ForegroundColor Yellow
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the firewall and proxy level.
    • Scan endpoints for the specific SHA256/MD5 hashes provided in the pulses.
    • Isolate any devices showing signs of Bumblebee or TaskWeaver execution.
  • 24 Hours:

    • If credential theft indicators (Vidar, Lumma, Djinn) are found, initiate a forced password reset for affected accounts and revoke session tokens.
    • Investigate SimpleHelp RMM logs for exploitation of CVE-2026-48558.
  • 1 Week:

    • Patch all SimpleHelp instances to mitigate CVE-2026-48558.
    • Review and restrict admin privileges for users downloading IT management tools from the web.
    • Update security awareness training to cover SEO poisoning and recruiter-based LinkedIn phishing.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerransomwareseo-poisoningcredential-theftthreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.