FIFA World Cup: Hunting 227 Phishing Domains With the Silent Push MCP Server
When the OCCIP flash alert dropped about fraudulent World Cup ticket and merchandise sites, I figured it was a good excuse to dig in. The report tied the activity to Ghost Stadium, a Chinese-speaking cybercriminal group, and included a solid list of seed domains. That’s usually all I need.
I pulled those seeds into Silent Push and used the MCP server with Claude to run the investigation. The prompt was to find the larger cluster and generate queries I can use to track new infrastructure as it spins up.
The sites were reusing the same favicons and the domains followed a consistent registration format: two or three letter prefix, then “26fifashop.site.top.” On the first day of the World Cup, 227 new domains matching that pattern had already been registered.
From there it’s straightforward. I took the generated queries into the Context Graph, confirmed the cluster, then dropped those same queries into XSOAR to run daily. Deduplicate the results, query Splunk, push to a watchlist or blocklist. Your tools stay current without someone manually hunting for new sites every morning.
If you’re already running Claude or any agentic platform, connecting it to Silent Push via the MCP server means the pivot work, query generation, and reporting all happen in one flow. No context switching.
How the Silent Push MCP server works with threat investigations
The Silent Push MCP server connects Silent Push’s datasets directly to AI and agentic platforms like Claude. Instead of manually running pivots across DNS data, web content fingerprints, and domain registration patterns inside the platform, you describe what you’re investigating and the MCP server handles the data retrieval and correlation. It returns enriched results, identifies infrastructure patterns, and generates queries you can use to track new domains matching those patterns over time. Those queries run directly in Silent Push’s Context Graph or feed into your existing SOAR and SIEM workflows. The MCP server is available with the Silent Push Enterprise Edition.
What is Ghost Stadium?
Ghost Stadium is a Chinese-speaking cybercriminal operation that builds scalable fraud ecosystems around major events. The group spins up large volumes of lookalike sites designed to sell fake tickets and merchandise, using shared infrastructure patterns (favicons, domain naming conventions, hosting clusters) that make the sites faster to deploy at scale and, with the right tooling, faster to detect.
What is the Silent Push Context Graph?
The Context Graph is Silent Push’s infrastructure correlation engine. It aggregates DNS records, WHOIS data, host scans, SSL certificates, and web content fingerprints to map relationships between domains, IPs, and threat actor infrastructure. Analysts use it to pivot from a single seed domain to a full infrastructure cluster, identify reused assets like favicons or ASN patterns, and generate detection queries that track new infrastructure matching the same behavioral fingerprints.
Sign up for Community Edition to explore our datasets for free. To use the Silent Push MCP server, get in touch with our team.
