{
	"id": "134618c8-eed9-4133-84df-0f6a7f94b854",
	"created_at": "2026-04-06T00:08:21.590211Z",
	"updated_at": "2026-04-10T03:30:33.614118Z",
	"deleted_at": null,
	"sha1_hash": "707ca5c2a3d1e98ab70653b1975c3632dcff4bb8",
	"title": "GoldenCup: New Cyber Threat Targeting World Cup Fans",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62865,
	"plain_text": "GoldenCup: New Cyber Threat Targeting World Cup Fans\r\nBy About the Author\r\nArchived: 2026-04-05 13:29:56 UTC\r\nOfficials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli\r\nsoldiers and orchestrated by \"Hamas.\" The latest samples attributed to this campaign were discovered by security\r\nresearchers from ClearSky.\r\nIn our research, we focus on the most recent sample, an application dubbed as \"Golden Cup\", launched just before\r\nthe start of World Cup 2018.\r\nDistribution / Infection\r\nWhen this campaign started at the start of 2018, the malware (\"GlanceLove\", \"WinkChat\") was distributed by the\r\nperpetrators mainly via fake Facebook profiles, attempting to seduce IDF soldiers to socialize on a different\r\nplatform (their malware). As this approach was not a great success, their last attempt was to quickly create a World\r\nCup app and this time distribute it to Israeli citizens, not just soldiers.\r\nGoldenCup: New Cyber Threat Targeting World Cup Fans\r\nThe official “Golden Cup” Facebook page. The short URL redirects to the application page at\r\nGoogle Play.\r\nThe official “Golden Cup” Facebook page. The short URL redirects to the application page at\r\nGoogle Play.\r\nWe assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation. Even the C\u0026C server side\r\nwas mostly exposed with the file listing available for everyone to traverse through it. It contained approximately\r\n8GB of stolen data.\r\nA recent whois of “goldncup.com”. Creation date is a week before the start of the tournament.\r\nA recent whois of “goldncup.com”. Creation date is a week before the start of the tournament.\r\nHow it Works\r\nIn order to get into the Google Play Store, the malware uses a phased approach which is quite a common practice\r\nfor malware authors these days. The original app looks innocent, with most of its code aimed at implementing the\r\nreal features that the app claims to provide. In addition, it collects identifiers and some data from the device.\r\nAfter getting a command from the C\u0026C, the app is able to download a malicious payload in the form of a .dex file\r\nthat is being dynamically loaded adding the additional malicious capabilities.\r\nIn this way, the malware authors can submit their app and add the malicious capabilities only after their app is live\r\non the Play Store. \r\nhttps://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nPage 1 of 5\n\nCommunication with the C\u0026C\r\nIn order to communicate with its C\u0026C, the app uses the MQTT (Message Queuing Telemetry Transport) protocol,\r\nwhich is transported over TCP port 1883.\r\nInitiating the MQTT client.\r\nInitiating the MQTT client.\r\nInitiating the MQTT client.\r\nThe app connects to the MQTT broker with hardcoded username and password and a unique device identifier\r\ngenerated for each device.\r\nThe MQTT connection to broker\r\nThe MQTT connection to broker\r\nThe MQTT communication is used primarily to update the device state and get commands from the C\u0026C. It uses\r\ndifferent topics that include the unique device identifier, which side is sending the message, and whether it is\r\ninformation message or command.\r\nHTTP Communication\r\nIn addition to the MQTT communication, the app also uses plain text HTTP communication in order to download\r\nthe .dex file and upload collected data.\r\nAll of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode. The key for\r\neach file is generated randomly and stored in the encrypted file with a fixed offset.\r\nIn order to upload the file, the app uses a basic REST communication with the server, checking if the file exists\r\nand uploading it if it isn’t.\r\nThe path that is used for the uploads is:\r\nhttp://\u003cdomain\u003e/apps/d/p/op.php\r\nThe communication looks like this:\r\nGoldenCup: New Cyber Threat Targeting World Cup Fans\r\nFirst Phase\r\nThe first phase of the app’s attack flow collects device information and a list of apps installed on the device. These\r\nare then uploaded to the C\u0026C HTTP server.\r\nGoldenCup: New Cyber Threat Targeting World Cup Fans\r\nThe collection of basic device information.\r\nThe collection of basic device information.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nPage 2 of 5\n\nIn addition, at this stage the app can process one of these commands:\r\n•    Collect device info\r\n•    Install app\r\n•    Is online?\r\n•    Change server domain\r\nOut of these, the most interesting command is the “install app” command that downloads an encrypted zip file\r\ncontaining the second phase dex file, unpacks and loads it.\r\nSecond Phase\r\nThe second phase dex file contains 3 main services that are being used:\r\n•    ConnManager - handles connections to the C\u0026C\r\n•    ReceiverManager - waits for incoming calls / app installations\r\n•    TaskManager - manages the data collection tasks\r\nThe C\u0026C server address is different than the one that is used by the first phase, so the app reconnects to the new\r\nserver as well as starts the periodic data collector tasks.\r\nBy analyzing the TaskManager class we can see the new commands that are supported at this stage:\r\nGoldenCup: New Cyber Threat Targeting World Cup Fans\r\nAs can be seen in the code snippet above, there are quite a lot of data collection tasks that are now available:\r\nCollect device info\r\nTrack location\r\nUpload contacts information\r\nUpload sent and received SMS messages\r\nUpload images\r\nUpload video files\r\nSend recursive dirlist of the external storage\r\nUpload specific files\r\nRecord audio using the microphone\r\nRecord calls\r\nUse the camera to capture bursts of snapshots\r\nThose tasks can either run periodically, on event (such as incoming call) or when getting a command from the\r\nC\u0026C server.\r\nMitigations\r\nStay protected from mobile malware by taking these precautions:\r\nDo not download apps from unfamiliar sites\r\nOnly install apps from trusted sources\r\nhttps://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nPage 3 of 5\n\nPay close attention to the permissions requested by apps\r\nInstall a suitable mobile security app, such as SEP Mobile or Norton, to protect your device and data\r\nKeep your operating system up to date\r\nMake frequent backups of important data\r\nIndicators of Compromise (IoCs)\r\nPackage names:\r\nanew.football.cup.world.com.worldcup\r\ncom.coder.glancelove\r\ncom.winkchat\r\nAPK SHA2:\r\n166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a \r\nb45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 \r\nd9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 \r\n2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc \r\n67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 \r\n1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2\r\nLoaded DEX SHA2:\r\nafaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e\r\nDomain/IP:\r\ngoldncup[.]com\r\nglancelove[.]com\r\nautoandroidup[.]website\r\nmobilestoreupdate[.]website\r\nupdatemobapp[.]website\r\n107[.]175[.]144[.]26\r\n192[.]64[.]114[.]147\r\nGoldenCup: New Cyber Threat Targeting World Cup Fans\r\nRoy Iarchy\r\nRoy Iarchy\r\nHead of Research, Modern OS Security\r\nEyal Rynkowski\r\nEyal Rynkowski\r\nhttps://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nPage 4 of 5\n\nSymantec Security analyst, Modern OS Security\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nhttps://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
	],
	"report_names": [
		"goldencup-new-cyber-threat-targeting-world-cup-fans"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434101,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/707ca5c2a3d1e98ab70653b1975c3632dcff4bb8.pdf",
		"text": "https://archive.orkl.eu/707ca5c2a3d1e98ab70653b1975c3632dcff4bb8.txt",
		"img": "https://archive.orkl.eu/707ca5c2a3d1e98ab70653b1975c3632dcff4bb8.jpg"
	}
}