Ghost Stadium, a Chinese threat actor tracked by Group-IB, has deployed 300+ typosquatted and cloned FIFA ticketing domains ahead of the 2026 World Cup, distributing fraudulent portals via paid Google Search ads, Facebook, Telegram, and WhatsApp. The campaign harvests financial credentials from consumers and sells fraudulent tickets. No enterprise software vulnerability is involved; enterprise risk is primarily through employee financial harm, reputational exposure from brand proximity to fraud, and potential credential theft if employees use work email addresses on fraudulent portals.