Having trouble finding a free 📺 streaming site for World Cup 🏟️ matches? This threat actor has you covered with thousands of websites for all 104 matches! ⚽

We've been tracking a likely Vietnam-based actor that mass purchases expired domains (we call these dropcatch) and repurposes their existing web traffic to funnel visitors into illegal sports streaming sites, and then straight into a betting platform the same actor operates. The domain portfolio is a graveyard of real internet history: 2026worldcupnorthamerica[.]com (once cited by the Dallas Morning News and the US Men's National Team Facebook fan page), childreninachangingclimate[.]org (formerly a children's aid program), thebreastcancercharities[.]org (formerly non-profit The Breast Cancer Charities of America), and a domain officially used by major US grocery store chains involved in a large proposed merger. Collectively, this actor has spent hundreds of thousands of dollars acquiring dropcatch domains alone — a strong signal that dropcatching is a genuinely effective vehicle for cyber fraud. Behind all of it sits a staggering tech stack operated by a single actor: 5,000+ domains, illegal streaming services, CDNs, TDSs, trackers, cloakers, betting platforms, and mobile apps. That's not a side hustle, that's an enterprise. 🏗️

While the platform largely targets Vietnamese-speaking users, as well as others in Asia and Oceania, the financial damage reaches much further. Sports authorities and broadcasters worldwide are 📉 losing revenue every time someone watches a live NBA 🏀 , MLB ⚾ :, esports 🎮 , poker 🃏 , or World Cup 🏆 match for free on one of these sites, and this actor has all of them covered.

Some examples from the domains we've uncovered so far:

:Dropcatch domains host or redirect to illegal streaming services

autoredistrict[.]org
childreninachangingclimate[.]org
2026worldcupnorthamerica[.]com
folsomprisonmuseum[.]org
allaboutbasketball[.]us
thebreastcancercharities[.]org

:Fraudulent domains host or redirect to illegal streaming services

90phutaa[.]cc
90phutab[.]cc
90phutac[.]cc
xoilaczzzzw[.]tv
xoilaczzzzt[.]tv
xoilaczzzzh[.]tv

:Lookalike domains used by the betting platforms

fifa001[.]com
fifa002[.]com
fifa02[.]com
worldcup00[.]com
worldcup000[.]com
worldcup02[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #dropcatch #malvertising #illegalstreaming #sportsbetting #domainabuse #vietnam #worldcup #asia #fifa #streaming #betting #2026worldcup #charities #nonprofit #lookalike #xoilac #90phut

STUDIO 215: Disco All Night Long - 10 Apr feat. Drop Catch

#SESH #DropCatch

https://sesh.sx/e/1795457

A domain registration is more like a lease rather than a deed. You get the exclusive right to use a domain name for a fixed term, but if you miss renewal, someone else can swoop in. What's scary is that with dropcatch services, cybercriminals can automate monitoring of pending‑delete domains and fire off registrations the split‑second a name is deleted by the registry and becomes available again. Think hawks circling for high‑value prey. 🦅

That's what happened to fita[.]org, a popular website owned by the Federation of International Trade Associations (FITA) and referenced by many government bodies including the International Trade Administration (trade.gov). The domain now sits behind Cloudflare and functions as a command-and-control (C2) for the AsyncRAT malware. The actor controlling it also stood up these C2 endpoints:

90phutif[.]cc,90phutis[.]cc,90phutiv[.]cc,90phuttn[.]cc,xoilaclinkf[.]cc,xoilactivi[.]uk,xoilactivik[.]cc,xoilactivil[.]cc,xoilactivim[.]cc,xoilactivin[.]cc,xoilactivio[.]cc,xoilactivip[.]cc,xoilactiviq[.]cc,xoilactivir[.]cc,xoilactivis[.]cc,xoilactivit[.]cc,xoilactiviu[.]cc,xoilactiviv[.]cc,xoilactiviw[.]cc,xoilactivix[.]cc,xoilactiviy[.]cc,xoilactiviz[.]cc,xoilacvnnc[.]tv,xoilacvnnf[.]tv,xoilacvzb[.]cc,xoilacvzc[.]cc,xoilacvze[.]cc,xoilacvzi[.]cc,xoilacvzk[.]cc,xoilacvzn[.]cc,xoilacvzp[.]cc,xoilacvzq[.]cc,xoilacvzz[.]cc,xoilacyys[.]cc,xoilaczc[.]mobi,xoilaczzbb[.]cc,xoilaczzczz[.]tv,xoilaczzdd[.]cc,xoilaczzdzz[.]tv,xoilaczziz[.]tv,xoilaczzszz[.]tv,xoilaczzvzz[.]tv

So make sure to set auto pay for any valuable domains you possess 💳 otherwise you could risk losing them. Proactive IT governance is also part of security.

#InfobloxThreatIntel #dns #async #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #rat #asyncrat #malware #dropcatch #domain #cloudflare #remoteaccesstrojan #infostealer #c2

Online gambling operators are sponsoring charities?? If only :(

We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations.

Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.

Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.

teampiersma[.]org (screenshots below)
americankayak[.]org
getelevateapp[.]com
hotshotsarena[.]com
nehilp[.]org
questionner-le-numerique[.]org
sip-events[.]co[.]uk
studentlendinganalytics[.]com
thegallatincountynews[.]com

Comparison content:
2018: https://web.archive.org/web/20180119043432/https://teampiersma.org/
2025: https://web.archive.org/web/20250401092253/https://teampiersma.org/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infosec #scam #dropcatch #charity

That's what @[email protected] wants , little bit of luck. Now make it count. Go champ.go ❤️

#dropcatch #AUSvIND