Back to Intelligence

TwizAdmin Ransomware & Ghost Stadium Phishing: OTX Pulse Analysis — Global C2 Infrastructure Alert

SA
Security Arsenal Team
May 27, 2026
6 min read

Excerpt

OTX detects TwizAdmin crypto-stealer, 1,350+ Middle East C2 servers, and FIFA World Cup phishing. Urgent IOC blocking required.

Threat Summary

Recent OTX pulses expose a convergence of state-aligned infrastructure abuse and financially motivated cybercrime. The TwizAdmin operation (attributed to DataBreachPlus) represents a sophisticated "Malware-as-a-Service" evolution, combining crypto-clipping, BIP-39 seed theft, and a ransomware module (crpx0) managed via a FastAPI panel.

Simultaneously, intelligence on the Middle East sector reveals a disturbing concentration of C2 infrastructure (1,350+ servers), heavily utilizing STC Saudi Arabia hosting (72.4%). This infrastructure supports APT groups like APT28 (Fancy Bear) and Energetic Bear, deploying tools ranging from Cobalt Strike to Mirai botnets.

Finally, the GHOST STADIUM campaign leverages the upcoming 2026 FIFA World Cup to distribute Vidar and Lumma stealers. Using "pixel-perfect" clones of FIFA authentication pages across 4,300+ domains, this Chinese-speaking actor targets banking and personal credentials at scale.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin / crpx0)

  • Distribution: Masquerading as FedEx-related deliveries via email; targets Windows and macOS.
  • Payload Behavior: Multi-stage execution. Initial access leads to a Java RAT builder. Primary features include clipboard hijacking for 8+ cryptocurrency chains and theft of BIP-39 seed phrases. Includes crpx0 ransomware module.
  • C2 Communication: Utilizes a FastAPI-based panel located at 103.241.66[.]238:1337. Requires license keys for operation.
  • Persistence: Mechanisms not fully detailed in pulse but implied via Java RAT/Ransomware modules.

GHOST STADIUM

  • Distribution: Facebook advertising exploitation and credential phishing sites impersonating FIFA.
  • Payload Behavior: Droppers for Vidar (infostealer) and Lumma (info stealer). Focuses on harvesting session cookies and banking credentials.
  • C2 Communication: Uses a network of over 300 distinct domains for data exfiltration (e.g., fifa.gold, fifa.black).
  • Infrastructure: Hosted on infrastructure likely overlapping with bulletproof hosting to avoid takedowns.

IOC Analysis

The provided indicators span three critical vectors:

  1. Domains & URLs: High-volume phishing domains (Ghost Stadium) and C2 domains (TwizAdmin). SOC teams should immediately block these at the DNS level.
  2. IP Addresses: A list of 6 specific IPs associated with Middle Eastern C2 servers. These should be blocked on perimeter firewalls and monitored for outbound traffic (indicating beaconing).
  3. File Hashes: Five SHA256 hashes for TwizAdmin components. EDR solutions should be configured to quarantine these specific hashes.

Operationalization: Utilize SIEM integrations (Splunk, Sentinel) to ingest these IOCs. Use threat intelligence platforms (TIPs) to auto-update firewall blocklists. DNSQuery logs should be queried for the fifa.* domains and fanonlyatn.xyz.

Detection Engineering

Sigma Rules

YAML
---
title: TwizAdmin C2 Domain Connection
id: 8a1f2c3d-4e5f-6789-0123-456789abcdef
description: Detects network connections to the known TwizAdmin C2 domain fanonlyatn.xyz associated with DataBreachPlus operations.
status: experimental
author: Security Arsenal
date: 2026/05/28
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'fanonlyatn.xyz'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071

---
title: Ghost Stadium Phishing Domain Access
id: b2c3d4e5-6f78-9012-3456-7890abcdef12
description: Detects DNS requests or HTTP connections to known GHOST STADIUM phishing domains targeting the 2026 World Cup.
status: experimental
author: Security Arsenal
date: 2026/05/28
logsource:
    category: dns
detection:
    selection:
        QueryName|endswith:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifaweb.com'
            - 'fifa.red'
            - 'fifa.fund'
            - 'fifa-com.shop'
    condition: selection
falsepositives:
    - Legitimate FIFA access (unlikely given TLDs)
level: high
tags:
    - attack.initial_access
    - attack.phishing
    - attack.t1566

---
title: Suspicious Middle East C2 Infrastructure Connection
id: c3d4e5f6-7890-1234-5678-90abcdef1234
description: Detects outbound connections to IP addresses identified as Middle Eastern C2 servers hosting APT frameworks.
status: experimental
author: Security Arsenal
date: 2026/05/28
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|in:
            - '37.32.15.8'
            - '197.51.170.131'
            - '5.109.182.231'
            - '93.113.62.247'
            - '94.252.245.193'
            - '148.178.22.16'
    condition: selection
falsepositives:
    - Legitimate traffic to these IPs (should be investigated)
level: high
tags:
    - attack.command_and_control
    - attack.t1102

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TwizAdmin and Ghost Stadium Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "fanonlyatn.xyz" or 
    RemoteUrl has "fifa.gold" or 
    RemoteUrl has "fifa.black" or 
    RemoteUrl has "fifa.tax" or
    RemoteUrl has "fifaweb.com" or
    RemoteUrl has "fifa.red" or
    RemoteUrl has "fifa.fund" or
    RemoteUrl has "fifa-com.shop"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| summarize Count = count() by DeviceName, RemoteUrl
| order by Count desc

// Hunt for Malicious IP Connections (Middle East C2)
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteIP in ("37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193", "148.178.22.16")
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
# Hunt for TwizAdmin File Artifacts and Registry Persistence
# Requires Admin privileges

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec"
)

$MaliciousIPs = @(
    "37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193", "148.178.22.16"
)

Write-Host "[+] Checking for TwizAdmin File Hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking for active network connections to C2 IPs..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection -State Established | 
               Where-Object { $MaliciousIPs -contains $_.RemoteAddress }

if ($connections) {
    Write-Host "[!] Suspicious Connections Detected:" -ForegroundColor Red
    $connections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
} else {
    Write-Host "[-] No active connections to known C2 IPs found." -ForegroundColor Green
}

Write-Host "[+] Checking Run Keys for suspicious persistence..." -ForegroundColor Cyan
Get-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | 
    Get-ItemProperty | 
    ForEach-Object { 
        $_.PSObject.Properties | Where-Object {$_.Name -ne "PSPath"} | Select-Object Name, Value 
    }

Response Priorities

  • Immediate (0-4h):

    • Block all identified IOCs (Domains, URLs, IPs) at the perimeter (Firewall, Proxy, Secure Web Gateway).
    • Quarantine any endpoints matching the provided SHA256 hashes via EDR.
    • Initiate a retrospective hunt (30 days) for DNS requests to the fifa.* TLDs and fanonlyatn.xyz.

  • 24 Hours:

    • Identity Verification: Given the prevalence of infostealers (TwizAdmin, Vidar, Lumma), force a password reset for users who may have clicked links related to FIFA or FedEx lures. Enable MFA enforcement if not already active.
    • Investigate the 148.178.22.16 IP (Ghost Stadium infrastructure) for any internal lateral movement or data exfiltration attempts.

  • 1 Week:

    • Architecture Hardening: Implement DNS sinkholing for the identified TLDs to capture potential zero-day phishing variants.
    • Review outbound firewall rules to restrict access to regions hosting the identified Middle East C2 infrastructure if business requirements allow.
    • Update user awareness training to specifically cover "ticket fraud" and "delivery notification" social engineering tactics.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminvidar-stealerlumma-stealerapt-c2-infrastructurecredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
TwizAdmin Ransomware & Ghost Stadium Phishing: OTX Pulse Analysis — Global C2 Infrastructure Alert | Security Arsenal | Security Arsenal