Group-IB Global @GroupIB

Every scam in this campaign shares three signals: urgency, prices that seem too good, and payment by crypto, gift card, or wire. See two of the three. Walk away. Cheer loud. Click slow.

keyboard_arrow_left Previous keyboard_arrow_right Next

The traps: fake ticket sites, cloned login pages promoted via paid ads, one #phishing campaign cloning the official login page across 11 languages, and 32+ fraudulent betting platforms harvesting passport scans and selling them on dark web markets. Crypto payments mean no chargebacks. No recourse.

keyboard_arrow_left Previous keyboard_arrow_right Next

Fraudsters started preparing for the world's biggest football tournament months before kickoff. Group-IB has tracked 4,300+ fake domains and 47,400+ potential ticket fraud victims.

keyboard_arrow_left Previous keyboard_arrow_right Next

This was Instructure's second ShinyHunters breach in eight months. The September 2025 incident came through social engineering against its Salesforce environment. Instructure rotated credentials and patched. Eight months later the same group returned through a different vector and Instructure paid the ransom on May 11 to prevent the data going public.

Confirmed exposed data includes names, email addresses, student IDs and private messages across 8,809 institutions worldwide. ShinyHunters simultaneously defaced Canvas login portals, instructing schools to negotiate privately via Tox or face a public leak of several billion messages before the May 12 deadline.

The entry point was Anodot, a third-party analytics vendor. ShinyHunters compromised Anodot and stole its authentication tokens, then used those tokens to pivot directly into Instructure's Canvas production systems. No malware deployed. No brute force. Stolen third-party trust, weaponized.

How do threat actors hide #phishing infrastructure behind fake error pages while harvesting credit card data in real time through encrypted WebSocket channels? Our latest research unpacks the Error 524 Decoy operation, from geofencing and brand impersonation to global infrastructure patterns. Read the full analysis: link.group-ib.com/4xnMJW7

The campaign combines spoofed SMS messages, shortened URLs, device fingerprinting, and geolocation filtering to maximize success rates. Telecommunications was the most targeted sector with 1,754 #phishing domains, followed by financial services with 696 domains and consumer rewards programs with 488 domains. Bulk domain registrations use low cost TLDs including .ink, .bond, and .top. #FraudDetection

keyboard_arrow_left Previous keyboard_arrow_right Next

Group-IB researchers uncovered a global #smishing operation active since H2 2025 that has impersonated 267+ brands across 72 countries. The campaign generated 4,389 #phishing domains targeting telecommunications, financial services, government, logistics, and rewards programs, demonstrating the industrial scale of modern phishing operations. #ThreatIntelligence

keyboard_arrow_left Previous keyboard_arrow_right Next

On April 6, a single ransomware strike against Signature Healthcare brought a hospital system to its knees. Ambulances diverted. Chemotherapy cancelled. Prescriptions frozen. 15+ locations paralysed. 2TB of patient data in the hands of the Anubis ransomware group. Two weeks of downtime did not begin with a sophisticated nation-state operation. It began with one uncontained intrusion that spread faster than the response. This is what ransomware looks like when it hits healthcare. Not a statistic. A stopped heartbeat. The threat is documented. The blueprint exists. The question is whether your defences are built before the next April 6, not after. Read the HTCT 2026 Report to understand how ransomware operators target critical infrastructure → link.group-ib.com/4kKlcrZ #Ransomware #CyberSecurity #HTCT2026

#Ajina isn't just another #BankingTrojan. It's a case study in how cybercriminals industrialize distribution. First observed in late 2023, Ajina spread through #Telegram channels disguised as financial and government apps, targeting users across Central Asia. By mid-2024, Group-IB researchers had identified over 1,400 unique APK variants and more than 200,000 infections. What started as simple OTP theft evolved into multi-stage dropper attacks: encrypted payloads, obfuscated builds, and silent access to SMS, calls, and contacts. Distributed through affiliate networks. Built to scale. This is what adversary-centric research looks like in practice. Download the HTCT report: link.group-ib.com/3RGNZ6k Tune into the podcast: open.spotify.com/episode/5dWept… #ThreatIntelligence #AndroidSecurity #CyberSecurity #MalwareAnalysi

What happens when the weakest link in your security chain isn't you? In August 2025, a single SonicWall vulnerability in Marquis Software Solutions, a financial sector vendor, exposed between 788,000 and 1.35 million individuals across 74 institutions. VeraBank and Artisans' Bank confirmed theft of names, SSNs, account numbers, and contact details. 37,000+ impacted at VeraBank. 32,000+ at Artisans' Bank. Not one bank was directly breached. In a parallel attack, DragonForce ransomware was deployed across multiple client environments through a compromised MSP's SimpleHelp instance. One vendor. One tool. Unlimited reach. Ransomware today doesn't break down doors. It inherits access through the vendors you already trust. Qilin alone ran 1,062 attacks. Manufacturing absorbed 938 hits globally, the highest of any sector. The vendor you trust is the attack surface you haven't secured yet. Read the full Group-IB High-Tech Crime Trends 2026 Report: link.group-ib.com/4kKlcrZ #Ransomware #SupplyChainAttack

Three realities security leaders won't say out loud: 🔹 We have #threatintelligence, but we don't have the skills to turn it into prioritized decisions. 🔹 We have threat intelligence, but our team is too small to analyze everything we're collecting. 🔹 We don't have threat intelligence yet, and we're making security decisions without knowing who's actually targeting us. All three lead to the same problem: decisions made without the right context. Group-IB's Threat Landscape Service was built for all three. We analyze the adversaries relevant to your organization, identify malware and tools utilized by #threatactors, map their TTPs to MITRE ATT&CK®, and deliver a prioritized and actionable threat landscape, suitable for DORA, TIBER-EU, SAMA CTI, and NIS2. Your resources shouldn't limit your visibility. Learn more: group-ib.com/services/threa… #CyberSecurity #MITREATTACK #Infosec

Beyond GHOST STADIUM, four independent threat actors are running six parallel fraud schemes targeting the world's largest football tournament, including fake streaming platforms, counterfeit merchandise storefronts, fraudulent betting sites, and a Phishing-as-a-Service supply chain that sells pre-built kits to new entrants. With over 4,300 domains registered since August 2025 and 3,800 parked awaiting activation, this represents a coordinated fraud ecosystem, not a single campaign. Read the full technical analysis here: link.group-ib.com/4dIMUSz

Three shared #MetaPixel IDs are embedded identically across all 300+ GHOST STADIUM domains, confirming the same adversary is actively paying #Facebook to promote phishing pages through paid ads. This exploitation of Meta’s advertising platform as the primary traffic acquisition channel means the attacker is converting ad spend directly into stolen credentials and #cryptocurrency payments at scale.

keyboard_arrow_left Previous keyboard_arrow_right Next

The GHOST STADIUM campaign monetizes victims through five parallel payment channels including direct card capture, third-party gateways, P2P apps with specific cashtags and Nequi accounts, region-specific rails like FIXYD Mexico Payment, and crypto on-ramps via Alchemy Pay converting to USDT on Binance Smart Chain for irreversible settlement. Conservative estimates place premium #ticketfraud losses between 71 million and 474 million from 79 domains alone. #PaymentFraud

keyboard_arrow_left Previous keyboard_arrow_right Next

Over 2,513 confirmed credential pairs for the official tournament platform are already circulating on dark web markets for $5 to $50 per pair, harvested incidentally by mass infostealer campaigns dominated by #Vidar and #Lumma malware families rather than targeted phishing. Group-IB's investigation found approximately 130,000 #infostealer logs containing tournament-related references, creating a separate account takeover pipeline operating independently of the GHOST STADIUM phishing infrastructure. #DarkWeb

Group-IB researchers have uncovered a Chinese-speaking threat actor, designated #GHOSTSTADIUM, operating over 300 fraudulent domains with a pixel-perfect React based #phishing kit built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community. The kit clones tournament's official PingIdentity SSO flow using a legitimate client_id and includes password reset authorization to lock victims out after credential capture. #ThreatIntel

keyboard_arrow_left Previous keyboard_arrow_right Next

The GHOST STADIUM #phishingkit automatically detects browser locale and switches across 11 languages plus three Chinese variants. The granular distinction between Simplified, Traditional, and Hong Kong Chinese in the source code serves as a direct attribution signal to a Chinese-speaking developer, further reinforced by embedded comments in Chinese throughout the phishing infrastructure. #MalwareAnalysis