Ghost Stadium PhaaS — 300+ FIFA domain clones targeting EU fans

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

XLab researchers at Qianxin documented an active, large-scale campaign weaponising the unauthenticated SQL-injection flaw CVE-2026-26980 against self-hosted Ghost CMS instances, with more than 700 compromised domains observed — among them university portals (Harvard, Oxford and Auburn are named), AI/SaaS companies, media outlets, fintech firms, security sites and personal blogs, plus DuckDuckGo (BleepingComputer, 2026-05-24; XLab Qianxin, 2026-05-21). The intrusion is a two-stage operation: the attacker first exploits the pre-auth SQLi in Ghost's Content API to read the admin API key out of the database, then uses that key — which carries full content-management scope — to inject a lightweight JavaScript loader into published articles. The loader pulls a second-stage cloaking script that fingerprints each visitor; those who qualify are served a fake Cloudflare "verify you are human" prompt in an iframe overlaid on the article (the ClickFix / FakeCaptcha pattern) instructing them to paste a supplied command into the Windows Run dialog, which drops DLL loaders, JavaScript droppers, or an Electron-based sample (UtilifySetup.exe) (BleepingComputer, 2026-05-24).

Why it matters to us: self-hosted Ghost is used across EU/CH universities, NGOs and independent media — exactly the named victim profile — and the campaign weaponises a flaw patched back in February (6.19.1) against the still-unpatched long tail. The threat is two-sided: site operators face server-side compromise and admin-key theft (rotate the key and audit posts/themes for injected <script> even after patching, per § 2 and § 5), while every visitor to a compromised site is a ClickFix target. The client-side execution chain is the higher-value, product-agnostic hunt — cmd.exe / powershell.exe spawned from a browser process tree following a Run-dialog paste — and is worth hunting regardless of whether you run Ghost (see § 5).

CVE-2026-26980 is an unauthenticated SQL injection (CWE-89) scored CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in Ghost's Content API. The defect sits in the handling of the slug filter parameter, which is interpolated into a raw SQL fragment without parameterisation; a remote attacker with no authentication can perform boolean-based blind extraction of arbitrary database contents — critically the admin API key, which then grants full content-management scope over articles, themes and users (GitHub Security Advisory GHSA-w52v-v783-gw97). Affected versions span Ghost 3.24.0 through 6.19.0 (a roughly three-year release range); the fix shipped in 6.19.1 on 19 February 2026. Ghost(Pro) cloud instances were patched server-side; self-hosted operators must upgrade themselves, which is the exposed long tail the current campaign targets (BleepingComputer, 2026-05-24).

The CVE clears the § 2 bar on exploitation: SentinelOne documented in-the-wild exploitation as early as 27 February, and XLab confirmed the present large-scale wave (700+ compromised domains) on 21 May (XLab Qianxin, 2026-05-21). Mitigation: upgrade to 6.19.1 or later. Interim compensating controls — block Content API requests whose query string contains slug:[ (URL-encoded slug%3A%5B) at the WAF and restrict or disable the public Content API to trusted origins; the vendor mitigation targets exactly that request pattern. Because the admin API key is the exfiltration target, treat it as compromised on any exposed instance and rotate it after patching, then audit posts and themes for injected JavaScript. Full kill chain and detection in § 5.

CVE Summary Table

UPDATE (originally covered weekly 2026-W21): CERT-UA published a bulletin (surfaced 2026-05-22) on a spring-2026 phishing campaign by Ghostwriter (a.k.a. UAC-0057, UNC1151, FrostyNeighbor) targeting Ukrainian government entities through lures themed on the Prometheus online-learning platform (The Hacker News, 2026-05-22 · SC World, 2026-05-22). The material delta from this week's weekly long-running coverage of FrostyNeighbor / Ghostwriter activity is a new three-stage implant trio distinct from the prior PicassoLoader toolset.

Chain: phishing email from a compromised account → PDF attachment with a link to a ZIP archive → ZIP carrying a JavaScript file (OYSTERFRESH). OYSTERFRESH renders a decoy document as cover while writing an obfuscated, RC4-encrypted OYSTERBLUES payload to the Windows Registry and launching OYSTERSHUCK. OYSTERSHUCK decodes OYSTERBLUES (executed via JavaScript) which then collects computer name, user account, OS version, last boot time and running process list, exfiltrates via HTTP POST to C2, and executes dynamically received JavaScript via eval(). The final payload is assessed as Cobalt Strike. (MITRE ATT&CK overlay added by this brief, not by the CERT-UA narrative as carried by The Hacker News: T1027 Obfuscated Files/Information on the OYSTERFRESH stage, T1547.001 Registry Run Keys on the OYSTERBLUES persistence, T1059.007 JavaScript on OYSTERSHUCK execution, T1219 Remote Access Software on the Cobalt Strike final.)

Defender vantage: CERT-UA's own recommendation is to block wscript.exe execution for standard user accounts — a high-yield control because the OYSTER trio relies on script-host execution from user context. EDR signal: wscript.exe spawning powershell.exe or a base64-encoded command; registry monitoring for new HKCU\Software Run-key values containing binary blobs or script paths; hunt for Cobalt Strike beacon signatures in HTTP POST egress to non-corporate domains. The EU/CH relevance is direct: Ghostwriter historically targets Belgium, Germany, Poland, Lithuania, Latvia and other NATO members alongside Ukraine, and the OYSTER implant chain is a toolset upgrade defenders should expect to see surfaced in EU government tenants and Eastern-Europe-focused think tanks.

CERT-UA documented a spring-2026 phishing campaign deploying a new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures (daily 2026-05-23). The campaign continues the actor's focus on Ukrainian and allied government organisations; the staged implant chain is the new tradecraft. For EU/CH government estates that share the actor's target profile, the relevant control is attachment-detonation and learning-platform-lure awareness for staff.

ESET's 2026-05-14 analysis of activity observed since March 2026 documents an evolved spearphishing chain: (1) malicious PDFs impersonating Ukrtelecom with embedded redirect links, (2) RAR archives delivering JavaScript PicassoLoader variants, (3) server-side victim geo-validation (serves benign PDF to non-Ukrainian IPs) with system fingerprinting every 10 minutes to determine Cobalt Strike eligibility, (4) persistence via scheduled tasks and registry modifications. The previous Polish-targeting wave exploited CVE-2024-42009 (Roundcube XSS) for credential harvesting; WinRAR CVE-2023-38831 also referenced in the toolchain. The Belarus-aligned actor cluster (UNC1151, UAC-0057, TA445, Storm-0257, Umbral Bison, White Lynx) targets governmental, industrial, healthcare, and logistics sectors. EU scope: Poland, Lithuania, and Ukraine confirmed; broader Eastern European public-sector exposure inferred (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15).

No named EU victim disclosures this run. Status update from the W19 long-running record (item:apt28-apt29-unc1151): ESET's documentation of the geofencing and 10-minute fingerprinting cadence is new operational detail not present in the W19 ABW tri-attribution coverage. Detection: outbound connections to Canarytokens-style endpoints used for fingerprinting; scheduled-task creation with random GUIDs spawned from Office process trees (T1053.005); child processes of WinRAR or archive handlers executing JavaScript (T1059.007); PicassoLoader staging behaviours.

ESET published a new technical report on 2026-05-14 documenting fresh operational activity from FrostyNeighbor — a cluster ESET and Mandiant track as Ghostwriter / UNC1151 / UAC-0057, assessed as apparently Belarus state-aligned — against Polish, Lithuanian, and Ukrainian government and industrial organisations across a March–May 2026 wave (ESET WeLiveSecurity, 2026-05-14). The Ukraine strand distributes RAR archives via spear-phishing PDFs impersonating Ukrtelecom; the archives drop a JavaScript downloader (a PicassoLoader variant) that fingerprints the victim environment (username, process list, OS version) and beacons every 10 minutes to operator infrastructure. A server-side geofencing check delivers a benign decoy to IPs outside Ukraine, making emulation from a non-Ukrainian network appear clean. Polish and Lithuanian targeting covers industrial/manufacturing, healthcare and pharmaceuticals, logistics, and government organisations — ESET documents victimology spanning both NATO member states in the same campaign wave. Once operators manually approve a victim, a Cobalt Strike Beacon payload is staged, indicating deliberate victim-vetting prior to full post-compromise operations. MITRE ATT&CK: T1566.001 (Spearphishing Attachment), T1027 (Obfuscated Files), T1059.007 (JavaScript), T1082 (System Information Discovery — victim-vetting step), T1105 (Ingress Tool Transfer — Cobalt Strike staging). Detection: alert on JavaScript execution from browser/document-viewer parent-process trees, followed by 10-minute periodic outbound HTTP(S) beacons to a new destination; test detections with Ukrainian-egress routing to bypass the geofencing blind spot.