Threat Actors Targeting Fans Amid FIFA World Cup Fever

Cybercriminals exploiting World Cup buzz to conduct malicious campaigns

The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.

Cyble Research & Intelligence Labs (CRIL) has been continuously monitoring scams related to FIFA World Cup. There have been various scams exploiting the popularity of the FIFA World Cup, such as crypto phishing attempts using fake FIFA airdrops, selling fake tickets to users, fraudulent giveaways, malicious Android applications, an increase in FIFA betting sites, and many others.

Crypto/NFT fraud leveraging FIFA World Cup Theme

While monitoring phishing activity, we identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).

Figure 1 – Phishing site offering NFT using a football theme

When a user clicks on “Connect wallet” to claim the NFTs, the phishing site displays the QR code, and the user’s wallet account will be compromised upon scanning. The TA could steal sensitive information from the victim’s wallet.

Figure 2 – QR code displayed by phishing sites

In addition to the previously mentioned phishing site, CRIL identified another phishing site, “claim-fifa[.]live”, that is offering FIFA archive NFT packs as a part of its scam. As with the other phishing site, when the user clicks on the “CLAIM NFT PACKS” button, a QR code will appear to connect to the crypto wallet.

Figure 3 – Phishing site offering fake NFT drops

FIFA Scam Spreading Via WhatsApp Messages

Along with crypto phishing scams, we identified another scam circulating on WhatsApp, exploiting the popularity of the FIFA World Cup. Scammers are distributing messages on WhatsApp or social media, claiming FIFA is offering free 50GB data worldwide to watch the 2022 Qatar FIFA World Cup.

Figure 4 – WhatsApp message claiming FIFA giving 50BG data

The message includes a link to a scam website, “hxxp://www.fifa-uj[.]top/” that asks for the user’s mobile number and verifies their eligibility for the free data, as shown in the figure below.

Figure 5 – FIFA scam site offering free 50GB data

After validating the phone number, the scam website prompts users to forward the message to their WhatsApp contacts to claim a 50GB data offer. Scammers commonly use this tactic to spread their scam and trick more people into falling for it.

Figure 6 – Scam website prompting users to forward messages to their WhatsApp contacts

Once users finish forwarding WhatsApp messages, the scam website displays the mobile verification page and offers other gifts, such as iPhones, iPads, etc. Also, the scammer mentioned that users might have to download, install any application, fill out the survey, or do any other given task as a part of the phone verification process.

Figure 7 – Scammer prompting user verification methods.

Threat Actor Distributing Redline Stealer Malware Disguised As FIFA Game

At the start of November 2022, CRIL uncovered a massive Youtube campaign targeting over 100 applications and delivering Info stealer. As the 22nd FIFA World Cup kicked off in Qatar, the same TA started targeting football fans by offering the cracked version of the FIFA 23 game.

We discovered that several YouTube channels had uploaded videos demonstrating how to download and install a pirated version of FIFA 23, along with download links to the software.

Figure 8 – Youtube videos about the cracked FIFA 23 game with a download link

The download link “hxxps://www[.]” hosted the Redline stealer masqueraded as FIFA 13 cracked game. When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file from the URL “hxxps://www.mediafire[.]com/file/sbw6cgg6cnwmipz/FIFA+23+【+CRACKED+】.rar/file”.

Figure 9 – Malicious website downloading Redline Stealer

Android RAT Distributed Via Malicious Website Using FIFA World Cup Lure

Recently, ESET shared a tweet about a malicious Android RAT distributed via a malicious website. The TA behind this malware had created a Facebook page named “Kora 442”, where users could visit and download a malicious application from a distribution site.

Figure 10 – Facebook page spreading Android RAT (Source – ESET)

The TA has linked the distribution link “hxxps://kora442[.].com” in the post on their Facebook page, mentioning “Follow the World Cup matches live on Kora 442 application” and prompting users to download the malicious application to enjoy watching matches. The distribution site is still active and infecting users with Android RAT.

Figure 11 – Malicious website distributing Android RAT

After installation, the downloaded file “kora442” receives the commands from the Command and Control (C&C) server, as shown in Figure 11, and steals the information below from an infected device.

  • Contact list
  • SMS data
  • Call logs
  • Location
  • Download payload on runtime
  • Steals images and videos
  • Files stored on infected devices
  • WhatsApp and Messenger database if the device is rooted
  • Take pictures
  • Clipboard data
  • Thumbnails
Figure 12 – Malware receiving commands from the C&C server

The malware fetches the C&C server URL from a variable “BBB,” which is saved in the Shared Preferences file “appPreferencess.xml” as shown below.

Figure 13 – Malware storing C&C server URL in Shared Preference file

The RAT can also download additional payloads based on the commands received from the C&C server. Hence there is a chance that TA might use this RAT to perform other malicious activities on the victim’s device.


Threat Actors often take advantage of such global events or festive seasons to launch mass infection campaigns, and users may fall for these scams due to excitement and a lack of attention. As FIFA World Cup launches, CRIL observed various scams targeting users worldwide and distributing malware to steal sensitive information. It’s important to verify the legitimacy of websites before downloading files or submitting any sensitive information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Avoid downloading files from unknown websites.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User execution
Defense EvasionT1140
Deobfuscate/Decode Files or Information Virtualization/Sandbox Evasion Process Injection: Process Hollowing
Credential AccessT1555
Credentials from Password Stores  Steal Web Session Cookies  Unsecured Credentials  Steal Application Access Token 
Software Discovery  System Time Discovery  System Service Discovery 
Command and ControlT1071Application Layer Protocol
Initial AccessT1476Deliver Malicious App via Other Means.
Capture SMS Messages Access Contacts List Access Call Logs Access Notifications Data from Local System Capture Audio

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
02cfa159f85e15bd24808859d6cbf1b8e8d21352e7290ba5477744f711bb752bSHA256  Hash of malicious APK
9c904c821edaff095e833ee342aedfcaac337e04  SHA1  Hash of malicious APK
6905fac52473837ed4c548915b5c65a3MD5Hash of malicious APK
hxxps://kora442[.].comURLAndroid RAT Distribution URL
hxxps://firebaseconnections[.]com/backendNew/public/api/URLC&C server
629a4c31ae491844997dacde42e85f1a8d632a1b599281d498660b8d9cb36bddSHA256Hash of Redline Stealer RAR file
e5fa481e5590dd79b73ea483f987cc28afbc0ddbSHA1Hash of Redline Stealer RAR file
c285987ec716c444fcd7d4c17bb2fc54MD5Hash of Redline Stealer RAR file
hxxps://www.playskeep[.]com/fifa-23URLDistribution Site
football-blnance[.]comURLCrypto Phishing Domain
claim-fifa[.]liveURLCrypto Phishing Domain
hxxp://www.fifa-uj[.]topURLWhatsApp Scam website

Comments are closed.

Scroll to Top