HOMETHREATSGHOST STADIUM
APT / THREAT GROUP💰 FINANCIALHIGH

GHOST STADIUM

🇨🇳China-attributed
1
aliases
Last seen:Jun 5, 2026

Intelligence Profile

GHOST STADIUM is a Chinese-speaking, financially motivated threat actor operating a sophisticated phishing campaign across over 300 domains, utilizing a custom React-based phishing kit that closely mimics FIFA's official website and exploits the PingIdentity SSO login flow. The campaign has the potential to generate financial losses estimated between $71 million and $474 million from premium ticket fraud alone, with total losses potentially reaching billions. GHOST STADIUM employs Facebook Ads as a primary traffic acquisition channel and has been linked to 2,513 compromised FIFA credentials available on dark-web markets. The actor is part of a broader fraud ecosystem that includes multiple parallel schemes, such as credential phishing and counterfeit merchandise sales.

Threat Analysis

GHOST STADIUM is a high-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like GHOST STADIUM prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, GHOST STADIUM is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Intelligence Reports Mentioning GHOST STADIUM

Thousands of Fake FIFA Domains Target World Cup Fans
Infosecurity Magazine· May 27, 2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇨🇳 China
Aliases1
SourceMalpedia

Also Known As

GHOST STADIUM

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.