This research notification provides you with an early, exclusive look at Arctic Wolf Labs' research into a convergence of phishing, credential theft, and malware campaigns exploiting interest in the 2026 FIFA World Cup. 

The findings span adversary-in-the-middle (AiTM) phishing infrastructure capable of defeating conventional multi-factor authentication, QR-code phishing targeting host-city personnel, mobile malware distributed through fraudulent ticket lures, and a Windows info-stealer chain. Additional technical details will be included in our full research publication, and indicators of compromise will be published to our public GitHub repository.

Summary

Arctic Wolf Labs conducted proactive research into the criminal ecosystem surrounding the 2026 FIFA World Cup and identified active threat operations targeting both consumers and organisations involved in staging the event.
Since January 2026, they have discovered that more than 10,000 World Cup-themed domains have been registered at a rate of approximately 2,000 per month. While not all were malicious, a consistent operational pattern was seen across the threat campaigns we observed: “clean” social media posts funnel users to WhatsApp, Telegram, or Discord, where the actual fraud or malware delivery occurs, taking advantage of the typically weaker security posture of mobile devices.

Arctic Wolf Labs identified a cluster of at least ten phishing domains impersonating FIFA hiring pages, including fifa-careerpath[.]com, fifahiring[.]com, and jobs-fifa[.]com. These domains steal corporate Google Workspace credentials through a real-time adversary-in-the-middle (AiTM) relay. When a victim enters credentials on the counterfeit Google login page, the backend logs into the real Google account simultaneously, detects the required second-factor type, and renders the matching MFA prompt to the victim. The one-time code is forwarded to Google within seconds, inside the attacker's session. This relay defeats OTP, SMS, and push-approval MFA. Only phishing-resistant authentication such as passkeys or FIDO2/WebAuthn hardware keys breaks the relay.

Arctic Wolf Labs also recovered a weaponized PDF titled "Employee Handbook - Understanding employment at FIFA World Cup 26 Philadelphia," targeting host-city staff. The document uses city branding and references a legitimate tourism organization in Philadelphia in its metadata. The payload is delivered through QR-code phishing (quishing), redirecting victims to malicious resources on a mobile device. The document includes a "do not forward" instruction framed as protecting a "secure link," a technique to slow detection by limiting distribution. Because the delivery pattern is generic, other host cities may have been targeted with comparable lures.

Additional malware campaigns were observed using World Cup ticket lures. An Android multi-stage loader distributed as FIFA_WorldCup_Tickets.apk from aaworldcuptickets[.]com performs cryptocurrency mining, with command-and-control infrastructure under fud2026[.]com on port 9000. A Windows infostealer delivered through a file masquerading as WorldCup_Tickets_Viewer?gnp.exe harvests browser credentials, Discord and Telegram tokens, clipboard contents, Wi-Fi profiles, and application credentials, then exfiltrates to attacker-controlled Telegram and Discord channels.

Arctic Wolf has Managed Detection and Response coverage for these campaigns where relevant telemetry is available. They have leveraged threat intelligence around this activity to enhance detections in the Aurora Superintelligence Platform, subject to customer environment and available telemetry. As they track these campaigns and discover new information, they may further refine our detections to account for additional indicators and techniques.

Arctic Wolf is a customer of its own products and services and, where applicable, will follow the same recommendations outlined for our customers in this research notification

Recommendations

Enforce Phishing-Resistant Authentication for Corporate Accounts

Organisations with any connection to the 2026 FIFA World Cup, including host cities, sponsors, vendors, and partners, should enforce passkeys or FIDO2/WebAuthn hardware keys for all Google Workspace and SSO accounts. The AiTM phishing kit documented in this research defeats conventional MFA (OTP, SMS, and push-approval) by relaying second-factor codes in real time. Phishing-resistant authentication methods are cryptographically bound to the legitimate origin and cannot be proxied through a threat actor-controlled relay.

Apply User Awareness for Mobile-First Lures

Users should be trained to treat any offer for free streaming, discounted tickets, betting bonuses, or cryptocurrency opportunities related to the World Cup that routes through WhatsApp, Telegram, or Discord as suspicious by default. Users should not install APKs from outside official app stores, and should not run executable "viewers" or "stream players" downloaded from unverified sources. Time-pressured lures that arrive just before kickoff should be recognized as a deliberate social engineering technique.

Brief Staff on QR-Code Phishing and Social Engineering Pressure Tactics

HR, communications, and front-line staff should be specifically briefed on the "Employee Handbook" style of QR-code phishing lure and the "do not forward this secure link" social engineering pressure tactic. QR codes in PDFs and emails should be treated with the same scrutiny as any other link, particularly when they redirect to resources on a mobile device, where security controls are typically weaker. Organisations should advise staff that a "do not forward" instruction paired with a QR code or embedded link is itself a warning indicator.

COOLSPIRiT is here to help you keep secure

To find out more about Arctic Wolf, visit our webpage here.

Alternatively, contact our expert team today at hello@coolspirit.co.uk or call 01246 454222.