Home-Field Disadvantage: AiTM, QR-Code Phishing, and Infostealers at the 2026 FIFA World Cup

Summary

The 2026 FIFA World Cup is a once-in-a-generation opportunity, and threat actors have already begun capitalizing on it. The 2026 FIFA World Cup, set to kick off on June 11, has already broken records for the most host nations, the most matches, and the highest amount of prize money to date for winning teams. Arctic Wolf set out to proactively investigate the criminal ecosystem surrounding the tournament. Our observations reveal that malicious infrastructure was already in place and fully operational months before kickoff, that it is overwhelmingly mobile-first, and that it has expanded its scope beyond defrauding fans, to directly targeting the people and organizations running the event.

Key Findings:

1. AI is expanding attack automation. Since January 2026, we observed more than 10,000 World Cup themed domains pop up, at a rate of roughly 2000 new domains per month. Not all are malicious, but with generative AI now producing the sites, the content, and even the apps, attack automation has reached a new level.
2. The threat has moved to mobile. The dominant attack surface of 2026 is the mobile device. Lures live as deceptively “clean” posts on social media, which then funnel victims into WhatsApp, Telegram, or Discord. This is where the actual fraud or malware delivery happens, out of sight of platform moderation, and in an environment where users typically trust what they see and cyber defenses are weaker.
3. Timing is a weapon. Many malicious operations are designed to detonate at the last moment. Channels recruit subscribers with a promise to drop a “free stream” link five minutes before each match begins; the timing banks on excited fans not stopping to check whether a link is malicious.
4. Organizers are being targeted, not just fans. We identified a weaponized “Employee Handbook” PDF aimed at staff of a U.S. host city, and a cluster of fake “FIFA careers” sites engineered to steal corporate Google Workspace accounts. This demonstrates targeting of the event’s own supply chain.
5. The desktop infostealer is alive and well. We found a World Cup ticket lure which delivers a Windows stealer that exfiltrates everything of value on a victim machine to attacker-controlled Telegram and Discord channels.

The single most important technical finding for defenders is that MFA is not, by itself, protecting World Cup-adjacent organizations. One fake-careers phishing kit we found runs a real-time adversary-in-the-middle (AiTM) relay that consumes a victim’s one-time code within seconds of it being issued, inside the attacker’s own login session, which shows that multi-factor authentication codes are being defeated in transit.

Scope and Method

The research presented in this report is based on our continuous monitoring of newly registered, World Cup-themed domains since January 2026; our tracking of suspect WhatsApp, Telegram, and Discord channels promoted across social media; our static and dynamic analysis of recovered malware samples; and infrastructure we found pivoting on FIFA branding and shared artifacts. Note that where we describe an attack chain, this reflects directly observed behavior of recovered samples and live infrastructure, not theoretical modeling. All findings in this report are referential.

The Funnel: Clean Posts to Malware in Messengers

One core pattern is consistent across nearly everything we observed: A post on social media links to an external platform (usually WhatsApp, Telegram, or Discord); the actual scheme or scam lives inside the messenger, not on social media.

This indirection is deliberate, and it works on two levels. On the social media platform, the link points only to a messenger invite, so the post itself stays “clean,” evades takedown, and keeps pulling in new victims. Inside the messenger, the operator has more room to maneuver, which they use to their advantage. Mobile devices are generally less protected against phishing, and (critically) users tend to place more trust in content they see on a phone than on their desktop. Since there is less general public awareness around how mobile malware works, fans may be less likely to stop and consider that a mobile link could carry malware or cost them money.

Figure 1: Ad for FIFA World Cup match services shown on WhatsApp.

The lures themselves cluster around a handful of themes crafted to sound irresistible to fans: free match streaming, bets to “predict the winner,” cheap ticket purchases, and various cryptocurrency angles tied to the tournament. The vast majority of the destination sites appear to be generated with AI.

In practice, the least painful outcome for fans is the installation of adware on their device or the loss of money through a fraudulent online payment. The outcomes get worse from there.

Timing as a Weapon: the Last-Minute Play

A recurring design choice we kept finding is for the cybercriminal to delay executing the malicious payload until the victim is under time pressure, and (in theory) less able to think critically. Rather than burning malicious links weeks in advance, several channels and groups we observed simply asked users to subscribe now, with the promise that they would post the direct stream link five minutes before kickoff. (“Get stream links instantly. 5 minutes before every match“, claimed one lure.)

When a match is about to start, fans are likely in a state of high excitement and may not stop to verify whether a link is malicious. So they click the link, accept every “yes” prompt the page spawns, and try to watch the match while in the background, their device is being quietly compromised. We also expect a meaningful share of World Cup threats to materialize during the tournament, with malicious links pushed minutes before – or even during – matches.

Figure 2: This “Five minutes prior” lure bets on excited fans failing to verify links before clicking.

Targeting the Fans: Streams, Bets, Tickets, and Crypto

The consumer-facing side of this cybercriminal ecosystem is broad, but one mobile sample illustrates how early and how seriously some actors are investing in it.

Roughly six months before the tournament, a mobile threat distributed under the guise of buying World Cup tickets was being served from the site aaworldcuptickets[.]com as FIFA_WorldCup_Tickets.apk. This Android-targeting package is a multi-stage loader: a primary classes.dex decrypts a first-stage DEX, which in turn decrypts a second-stage DEX. Its main payload performs cryptocurrency mining from the infected device, beaconing to command-and-control infrastructure under the domain fud2026[.]com, including a mining pool on port 9000.

The same domain was previously observed in attacks in Brazil and India, suggesting an established operator repurposing infrastructure for the World Cup. Full hashes and C2 are in the IOC table in our public GitHub repository.

Targeting the Organizers: QR-Code Phishing via a Weaponized “Employee Handbook”

The more novel, and arguably more serious, finding is that attackers are going after the organizers and the broader supply chain of the event itself.

Philadelphia is one of 11 US host cities out of 16 total across the US, Canada, and Mexico, and will host six matches at Lincoln Financial Field. We recovered a purpose-built PDF that directly targets people working on the games in that city: a three-page document titled “Employee Handbook – Understanding employment at FIFA World Cup 26 Philadelphia.” It is styled with the Liberty Bell and a credible HR layout, and its metadata names the city’s legitimate tourism organization (discoverphl.com) and an intended recipient inside.

Figure 3: Philadelphia “Employee handbook” targeting the people working on the games in the city.

The payload is delivered by the technique of QR-code phishing, known as quishing. The document ends by asking the victim to scan a QR code “to access the digital version of the handbook,” complete with a friendly step-by-step guide to opening their camera and tapping the (malicious) link. On a mobile device, which is typically less protected than a desktop, that QR code redirects the victim onward to malicious resources.

Figure 4: Malicious QR code at the back of the Philadelphia “Employee Handbook” fake document.

Several details are of note regarding this malicious PDF document:

• A “do not forward” social-engineering line. The document explicitly asks recipients not to share it with others, which is framed as protecting a “secure link.” This is not security hygiene; it is a technique to slow detection of both the document and its link by keeping it out of the channels where it could potentially be flagged.
• PDF Metadata: PDF metadata showing the CreationDate, ModDate and user-agent information. This is a social engineering lure, so the attacker has most likely first obtained an open-source or freely available document from the organization, which they’ve then modified to suit their needs.

<</Title (64cbf60f4d3853579576d909efb4eeec.html)
/Creator (Mozilla/5.0 \(Windows NT 10.0; Win64; x64\) AppleWebKit/537.36 \(KHTML, like Gecko\) HeadlessChrome/139.0.0.0 Safari/537.36)
/Producer (Skia/PDF m139)
/CreationDate (D:20250916174018+00'00')
/ModDate (D:20250916174018+00'00')>>

• Fabricated and mismatched policy content. These are the hallmarks of a hastily adapted template:
  • A purported “International REXI Day Off” that doesn’t exist in any legitimate U.S. employment framework.
  • A “Typhoon & Rainstorm Policy” for Philadelphia, where typhoons do not often occur, strongly suggesting the template was lifted from a Southeast Asian company and poorly localized.
  • Vague language in the “Global Government Retirement Payments.” A real U.S. employer would most likely reference 401(k), Social Security, or a named plan.
  • Multiple obvious typos (“Ehanges,” “ACKNOWLEGEMENT”) and broken section numbering (6.3 appears twice; 6.5 is missing). This is unusual for an official HR document purporting to be from a major organization.

Because the delivery pattern is generic (PDF → QR code → malicious resource opened on a less-protected mobile device), it is likely that other host cities have been targeted with comparable lures.

The Centerpiece: Real-time AiTM Phishing That Defeats MFA

Pivoting on the FIFA logo and branding led us to a cluster of lure domains built specifically to impersonate those “hiring at FIFA.” As of 28 May 2026, we identified ten such domains (full list available on our public GitHub), for example fifa-careerpath[.]com, fifahiring[.]com, and jobs-fifa[.]com.

Figure 5: Real Google Calendar invite to a fake meeting with a “FIFA recruiter”, whose identities may either be fake or stolen from LinkedIn.

Their objective is theft of corporate Google Workspace accounts, and this kit is far more advanced than the typical static credential-capture page. Everything communicates with a single backend, hosted at hxxps://fifeq2026eqbackeq[.]onrender[.]com, where the eq strings are filler inserted to obscure what otherwise reads as “fifa2026back.”

The chain unfolds in five distinct phases:

• Pre-attack: Operator side. The operator deploys a React frontend (React is an open-source JavaScript library developed by Meta) plus the backend, to onrender.com (a legitimate cloud-hosting service), then delivers a “book your interview slot” lure naming a recruiter persona that is typically either fake or abuses legitimate recruiter identities from LinkedIn. Delivery is a separate human → email step.
• Phase 1: Setup. On load, the page mints a session_id via /api/new-user (stored in localStorage as user_created) and silently calls ipwho.is to grab the victim’s IP, city, and country. The victim is tracked before the attacker touches anything.
• Phase 2: Lure. A fake scheduling form captures the target’s name, email, role, and time, which is posted to /api/booking. This step builds trust while harvesting the target’s real identity.
• Phase 3: Capture. A counterfeit Google login page steals the target’s email address and password, which is posted to /api/login together with their geolocation. Bundling the location is deliberate: it lets the attacker’s own login appear to originate from the victim’s region.
• Phase 4: The relay loop. This is what makes the kit dangerous. The backend takes the stolen password and logs into the real Google account, live. Google demands a second factor; the backend reports which type via check_response (authType); the phishing page renders the exact matching MFA screen; the victim completes it; and the code that’s generated is forwarded to /api/twofa (or /api/sms, /api/email) and replayed to Google in the same moment. Four parties are now synchronized in real time.
• Phase 5: Takeover and cleanup. Google grants the attacker a fully authenticated session. The backend returns a redirect that bounces the victim onto a genuine Google page, so the experience ends without alarm from the target. Post-compromise, the attacker holds a live session and can establish persistence (app passwords, recovery changes, OAuth grants) before the victim notices.

Figure 6: Theft of corporate Google Workspaces: attack chain. 

Why MFA doesn’t help here: The second factor is consumed within seconds of being issued, inside the attacker’s session. One-time codes and SMS/email approvals provide no protection against this design. Only phishing-resistant authentication (such as passkeys or FIDO2/WebAuthn hardware keys, which are cryptographically bound to the target’s legitimate origin) breaks the relay.

On Desktop: a Ticket Lure That Drops an Infostealer

Figure 7: Lure-graphic advertising ticket prices for the World Cup 2026.

Users who shop for tickets from a traditional Windows desktop machine are not safe either. We analyzed a malicious archive with a lure-graphic that advertises “Ticket Prices World Cup 2026” (see above). The chain is straightforward but effective: a delivered file masquerading as WorldCup_Tickets_Viewer?gnp.exe unpacks an obfuscated batch script (datafacebook_obf.bat) alongside a decoy JPEG. When the batch file runs, it drops a UPX-packed executable that functions as a comprehensive infostealer.

Figure 8: Malicious archive content for the decoy advert shown in Figure 7.

Once the machine is infected, it harvests browser secrets (cookies, saved passwords, autofill and payment-profile data, browsing and search history), messaging and session material (Discord tokens, Telegram tdata), clipboard contents and a desktop screenshot, saved Wi-Fi profiles and passwords, and a wide range of application credentials, such as Steam session data, FileZilla credentials, PuTTY keys and sessions, and WinSCP / KeePass / 1Password-related data. All stolen data is then exfiltrated to attacker-controlled Telegram and Discord channels. The hashes from this attack can be found in our public GitHub repository.

Scale and the AI Multiplier

Since January 2026, we have catalogued more than 10,000 new domains registered under the broad umbrella of the World Cup, approximately 2000 new domains per month. The majority are not likely malicious, but the sheer volume of new domains, combined with generative AI (used to spin up sites, write content, and even produce applications), the cost of launching credible, distinct lures has collapsed. Automation of these types of attacks has reached a new level, and the volume alone makes manual triage by defenders impractical.

What to Expect as the World Cup 2026 Approaches

Several of the threats we investigated are designed to peak during the event itself. We anticipate a surge of last-minute “free stream” links pushed in the minutes before and during matches; continued quishing against host-city staff and vendors as more cities are operationally activated; and sustained AiTM phishing against any organization whose Google Workspace footprint can be tied to the tournament. The desktop infostealer threat will track ticket demand. In short, the activity we are seeing now is a rehearsal; the main event for attackers coincides with the main event for everyone else.

How Arctic Wolf Protects its Customers

Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers. We have leveraged threat intelligence around this threat activity to enhance detections in the Aurora® Superintelligence Platform, subject to customer environment and available telemetry.

As we track this campaign and discover new information, we may further refine our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the threat group behind this malicious activity.

Recommendations

For Fans and the General Public

• Treat any “free stream,” “guaranteed tickets,” “betting bonus,” or “World Cup crypto” offer that routes you off a social platform and into WhatsApp, Telegram, or Discord as hostile by default.
• Buy tickets only through FIFA’s official channels and verified ticketing partners; never from a link in a chat, ad, or DM.
• Be especially skeptical of links that arrive just before kickoff: that urgency itself is the catalyst to the attack, and is not a coincidence. Do not tap through consent or “allow” prompts to “just watch.”
• Do not install Android Package Kits (APKs) from outside the official app stores, and do not run any “viewer” or “stream player” executable you downloaded to watch a match on your smartphone.
• Scan QR codes only from sources you already trust; on a phone, a QR code is just a link you cannot see. Be extra vigilant if you have any reason to believe that a QR code has been tampered with.

For Organizers, Host Cities, Sponsors, and Their Vendors

• Assume your staff are being directly targeted, including via QR-code (quishing) lures in PDFs and emails that impersonate Human Resources, FIFA, or the host-city organization.
• Brief HR, communications, and front-line staff specifically on the “Employee Handbook” type of lure and the “do not forward this secure link” pressure tactic, as lure variant appearance can differ.
• Move to phishing-resistant MFA now. Enforce passkeys or FIDO2/WebAuthn hardware keys for all Google Workspace (and any SSO) accounts. OTP, SMS, and push-approval MFA do not stop the real-time AiTM relay documented here.
• For those without the time or resources needed to set up a security training program from scratch, Arctic Wolf offers phishing-focused modules within our Arctic Wolf Managed Security Awareness® training program to help users recognize and respond to the types of threats outlined in this report.
• Block and alert on the indicators in the IOC table, and proactively hunt for newly registered domains combining your city/venue/organization name with keywords such as “FIFA,” “World Cup,” “2026,” “tickets,” “jobs,” “hiring,” or “careers.”
• Monitor for OAuth grants, new app passwords, recovery-method changes, and anomalous session geolocations on executive and administrative accounts. These are the post-compromise persistence steps an AiTM operator takes.
• Alert or block outbound connections to Telegram/Discord APIs from non-standard processes.
• Coordinate brand-protection takedowns across your full domain cluster, and share indicators with other host cities. The generic delivery pattern analyzed in this report strongly implies parallel campaigns elsewhere.

Conclusion

Attackers are not waiting for the opening match to kick off before starting their attacks. Months ahead of the 2026 FIFA World Cup, a mature criminal ecosystem is already silently monetizing the event across every layer of defense – and it has expanded from defrauding fans to compromising the very organizations that run the games.

The strategy is simple. Lures stay clean on social media and pull victims into their messengers, where mobile-first delivery exploits weaker defenses and higher user trust. Some are timed to detonate at the moment of least scrutiny, typically five minutes before kickoff, when fan excitement is at its highest level. The targets now include host-city staff, reached through quishing in convincing HR-themed documents, and any organization on Google Workspace, accessed through a phishing kit that defeats conventional MFA in real time. Meanwhile, the classic Windows infostealer continues to drain fan credentials and session material to Telegram and Discord. Generative AI underwrites all of the above, collapsing the cost of producing thousands of distinct, credible domains, sites, and apps.

For defenders, the priorities here are clear: adopt phishing-resistant authentication immediately, treat QR codes and “do not forward” pressure as inherently hostile, hunt the domain clusters described here, and share indicators across host cities; we believe that the generic delivery patterns we observed almost certainly point to parallel campaigns we have not yet seen.

The activity documented in this report is a dress rehearsal. The main event for attackers will coincide with the main event for the rest of the world.

APPENDIX

For additional Appendix sections referenced in this report, including Indicators of Compromise, File Hashes, Phishing Domains, Behavioral/ Exfiltration Indicators and more, please see our public GitHub repository.

Legal disclaimer: Attribution reflects Arctic Wolf Labs’ assessment as of the report period and may evolve with new evidence. References to threat actor identity, nexus, and intent are analytical judgments, not statements of legal fact. This alert is provided for informational purposes only and does not constitute a guarantee of detection or prevention. Defensive effectiveness varies by environment, configuration, and available telemetry.

Additional Arctic Wolf Resources:

• Arctic Wolf’s free Threat Intelligence newsletter: ThreatPulse Community Edition
• Arctic Wolf Tech Den
• Arctic Wolf Blog

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.