Threat Actors Target FIFA World Cup 2026

A sophisticated Chinese-origin fraud operation is targeting FIFA World Cup 2026 attendees through pixel-perfect website clones and a multi-tenant phishing infrastructure. The actors deploy typosquatted domains and a commercially developed administrative system to mimic legitimate FIFA ticketing platforms. Technical analysis reveals high-fidelity brand cloning, real-time card skimming capabilities, and a distributed reseller ecosystem supporting at least 15 active operator instances. The platform functions as an active Man-in-the-Middle framework intercepting payment card details and bypassing SMS-based two-factor authentication in real time. Traffic is primarily driven through Facebook and Instagram in-app browsers. Simplified Chinese localizations and operator geolocations from IP addresses in China indicate PRC-based actors. The core payment routing hub tbpay[.]uk lacks financial regulatory authorization and has historical malicious patterns.

Pulse ID: 6a2ae2e76dc9f990eeb985f0
Pulse Link: https://otx.alienvault.com/pulse/6a2ae2e76dc9f990eeb985f0
Pulse Author: AlienVault
Created: 2026-06-11 16:31:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #China #Chinese #CyberSecurity #Facebook #InfoSec #Instagram #Mimic #OTX #OpenThreatExchange #PRC #Phishing #RAT #RCE #SMS #UK #bot #AlienVault

World Cup 2026 Mobile Targeted Phishing: The Global Social Engineering Threat

Threat intelligence has uncovered a significant increase in digital scams and phishing campaigns exploiting the FIFA World Cup 2026, specifically targeting mobile users. Three primary attack campaigns have been identified: The first uses typosquatting and institutional spoofing with fake domains like fifa-tickets[.]vip to deceive ticket buyers. The second mimics major sports retailers such as Nike and Adidas, hiding infrastructure behind Cloudflare to steal payment credentials. The third campaign, dubbed OffsideHire, exploits tournament hiring through sophisticated recruitment fraud using an Adversary-in-the-Middle platform targeting corporate Google Workspace accounts with real-time MFA bypass capabilities. These campaigns leverage emotional urgency, ticket scarcity, and mobile device usage patterns to bypass traditional security controls, posing risks to both individuals and enterprise environments through credential harvesting and session hijacking.

Pulse ID: 6a2b24146ff879b6eec74176
Pulse Link: https://otx.alienvault.com/pulse/6a2b24146ff879b6eec74176
Pulse Author: AlienVault
Created: 2026-06-11 21:09:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #Cloud #CredentialHarvesting #CyberSecurity #Google #ICS #InfoSec #MFA #Mimic #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #TypoSquatting #bot #AlienVault

World Cup 2026 Mobile Targeted Phishing: The Global Social Engineering Threat

Threat intelligence analysis reveals a significant surge in phishing campaigns exploiting the FIFA World Cup 2026, specifically targeting mobile users. Three distinct attack campaigns have been identified: The first deploys typosquatting and institutional spoofing through fake domains to trap ticket buyers. The second mimics major sports retailers like Nike and Adidas, hiding infrastructure behind Cloudflare for credential harvesting. The third exploits tournament hiring opportunities through sophisticated recruitment fraud, implementing an Adversary-in-the-Middle platform targeting corporate Google Workspace accounts with MFA bypass capabilities. These campaigns leverage SMS, WhatsApp, and search engines to exploit emotional urgency and ticket scarcity, creating enterprise security risks as employees use personal devices for work access.

Pulse ID: 6a2b24120e38cab4c6d62f51
Pulse Link: https://otx.alienvault.com/pulse/6a2b24120e38cab4c6d62f51
Pulse Author: AlienVault
Created: 2026-06-11 21:09:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #Cloud #CredentialHarvesting #CyberSecurity #Google #ICS #InfoSec #MFA #Mimic #OTX #OpenThreatExchange #Phishing #RAT #SMS #SocialEngineering #TypoSquatting #WhatsApp #bot #AlienVault

OptinMonster supply chain attack hits 1.2 million sites

An active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins operated by Awesome Motive. Attackers injected malicious JavaScript into legitimate files served through Awesome Motive's CDN endpoints. The malware activates when a logged-in administrator accesses the site, creating backdoor admin accounts (developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. The backdoor provides unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to tidio.cc, a lookalike domain mimicking the legitimate tidio.com. The breach likely originated from compromised Awesome Motive servers or their BunnyNet CDN account. The campaign began in late April 2026 and remained active through mid-June, affecting OptinMonster (over 1 million installations), TrustPulse, and PushEngage users.

Pulse ID: 6a2ec0e674b2d14b332499fa
Pulse Link: https://otx.alienvault.com/pulse/6a2ec0e674b2d14b332499fa
Pulse Author: AlienVault
Created: 2026-06-14 14:55:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CDN #CyberSecurity #ELF #Endpoint #InfoSec #Java #JavaScript #Malware #Mimic #OTX #OpenThreatExchange #PHP #RAT #RDP #Rust #SupplyChain #Word #Wordpress #bot #AlienVault

Sniper's Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud

An investigation into phishing activity targeting users across the Middle East and North Africa uncovered SniperDz, a centralized Push-Notification-as-a-Service and Phishing-as-a-Service platform. The operation uses fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations to promote fake offers including free mobile internet packages and financial compensation. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to evade detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across financial services, social media, streaming, and gaming platforms. The infrastructure employs browser notification abuse, history manipulation creating a back-button prison, premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing for monetization. Analysis revealed over 900 suspicious domains linked to shared hosting infrastructure and a recurring VAPID public key connecting multiple campai...

Pulse ID: 6a2aa0d6db4e2c52648e2ed7
Pulse Link: https://otx.alienvault.com/pulse/6a2aa0d6db4e2c52648e2ed7
Pulse Author: AlienVault
Created: 2026-06-11 11:49:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Browser #CyberSecurity #Facebook #InfoSec #MiddleEast #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Rust #SMS #SocialMedia #bot #AlienVault

Fake Software Tutorials on TikTok Spread Vidar Stealer

Threat actors are leveraging TikTok and Instagram Reels to distribute the Vidar infostealer through fake software tutorials. Two distinct campaigns use short-form videos disguised as tutorials for unlocking premium software like Spotify. The first campaign uses accounts mimicking official Windows profiles with AI-voiced clips instructing users to run PowerShell commands that download Vidar from lookalike domains. One video achieved over 100,000 views. The second campaign uses ordinary accounts posting music-backed clips that bait users in comments to receive malicious links via direct message. These campaigns exploit platform recommendation algorithms by encouraging saves and shares. Vidar is sold as a service for $300 lifetime license and harvests credentials, financial data and authentication tokens.

Pulse ID: 6a298f548047c70cc9e2f4ee
Pulse Link: https://otx.alienvault.com/pulse/6a298f548047c70cc9e2f4ee
Pulse Author: AlienVault
Created: 2026-06-10 16:22:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #FinancialData #InfoSec #InfoStealer #Instagram #Mimic #OTX #OpenThreatExchange #PowerShell #Vidar #Windows #bot #AlienVault

PHISH ALERT: Press Play for Compromise — Voicemail Phishing Kit Bundles SSO Hijacking, Credential Theft, and RMM Delivery

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.

Pulse ID: 6a2943210c24d6920786a101
Pulse Link: https://otx.alienvault.com/pulse/6a2943210c24d6920786a101
Pulse Author: AlienVault
Created: 2026-06-10 10:57:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Google #HTML #InfoSec #Microsoft #Mimic #OTX #OpenThreatExchange #Outlook #Phishing #RAT #Turkish #bot #AlienVault

Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.

Pulse ID: 6a196f2fd88de848b913e4da
Pulse Link: https://otx.alienvault.com/pulse/6a196f2fd88de848b913e4da
Pulse Author: AlienVault
Created: 2026-05-29 10:49:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Afghanistan #Bulgaria #CyberSecurity #Edge #Education #Government #InfoSec #Java #JavaScript #LNK #Microsoft #MicrosoftEdge #Mimic #OTX #OpenThreatExchange #Pakistan #Phishing #RAT #SideCopy #SpearPhishing #TransparentTribe #bot #AlienVault