A state-linked hacker group known as Ghostwriter has launched a wave of targeted phishing attacks aimed at Gmail users, disguising malicious emails as official security alerts from Google.
The campaign is designed to trick recipients into handing over their login credentials and two-factor authentication codes, effectively bypassing one of the most trusted layers of account security that people rely on today.
The group, also tracked as UNC1151, has a long history of targeting Polish citizens through their inboxes. For several years, their operations focused on users of Polish email services like Onet, Wirtualna Polska, and Interia.
Since March 2026, however, the group shifted its focus entirely to Gmail accounts, running campaigns with high intensity, primarily on weekdays, and new phishing domains have been appearing almost every single day.
Analysts at CERT Polska (CERT.PL), the national cybersecurity incident response team operating within the structures of Poland’s National Research Institute, identified and documented this campaign.
According to a report shared with Cyber Security News (CSN), CERT.PL noted that these attacks consistently target individuals in prominent positions, including politicians, researchers, journalists, public servants, and people connected to these groups through family or social ties.
The group’s reach is deliberately wide. Attackers do not always know the exact owner of the targeted inbox and sometimes attempt to guess a victim’s email address, which can result in phishing messages landing in unrelated inboxes with similar names.
CERT.PL also observed campaigns aimed at specific professions such as translators and court experts, suggesting a high degree of deliberate targeting behind each wave of attacks.
The Belarusian-linked threat group appears driven by intelligence gathering rather than financial gain.
.webp)
Once access to a target’s inbox is secured, attackers search for contact lists, sensitive documents, and linked social media accounts, which can then be taken over as well.
This pattern of follow-on exploitation makes every successful compromise far more damaging than a simple stolen password.
The UNC1151 group reaches potential victims through fraudulent emails designed to imitate official Gmail administrator communications.
These messages are usually sent from Gmail accounts created specifically for this purpose, though compromised accounts with modified display names are occasionally used as well.
The emails are written in Polish without obvious errors and typically warn of suspicious activity, unauthorized logins, or service term violations, pressuring recipients to act quickly under the threat of account suspension or permanent deletion.
Once a target clicks the link inside the email, they are taken to a fake website built to mirror the Gmail login panel exactly. This page captures the victim’s email address and password.
.webp)
A key development in this campaign, compared to earlier operations targeting Polish email providers, is the ability to also steal two-factor authentication codes.
If a second factor is required, the phishing page presents an additional prompt requesting that code, allowing attackers to intercept both SMS-based codes and those generated by apps like Google Authenticator.
Attackers often target the same accounts repeatedly and sometimes send multiple messages within two days to pile on pressure.
The group dynamically rotates the infrastructure it uses to host phishing pages. Operations have involved dedicated domains registered under TLDs such as .icu, .digital, and .top, as well as subdomains hosted on platforms like Netlify.
Domain names are carefully crafted to align with the message content and the sender address used for delivery.
Ghostwriter also places fake login panels on compromised websites belonging to Polish organizations, doing so without altering the main page to keep the intrusion hidden from both site owners and regular visitors.
CERT.PL strongly advises users to treat any email threatening account deletion or suspension as suspicious until verified. Users should never click links in such messages and should instead go directly to the service by typing its address into the browser.
The report also makes clear that a sender’s display name alone cannot be trusted, and that any email referencing account security issues deserves careful scrutiny before taking any action.
Indicators of Compromise (IoCs):-
The following domains and infrastructure were observed in active use during the Ghostwriter Gmail phishing campaign, as documented by CERT.PL.
| Type | Indicator | Description |
|---|---|---|
| Domain | mailverify.digital | Dedicated phishing domain |
| Domain | check-mail-verify.biz | Dedicated phishing domain |
| Domain | verify-check.digital | Dedicated phishing domain |
| Netlify Subdomain | monitoring-google-konta.netlify.app | Netlify-hosted phishing page |
| Netlify Subdomain | konta-weryfikacja.netlify.app | Netlify-hosted phishing page |
| Netlify Subdomain | service-auth.netlify.app | Netlify-hosted phishing page |
| Phishing Page Path | /landing-page / homepage | Credential harvesting landing page (phishing flow stage 1) |
| Phishing Page Path | Password harvesting page | Password capture stage in phishing flow |
| Phishing Page Path | 2FA harvesting page | Two-factor authentication code capture stage |
| Sender Address | mailsecurenotify@gmail.com | Example sender used in campaign (admin-themed) |
| Sender Address | mailersupport@gmail.com | Example sender used in campaign |
| Sender Address | monitoring.konta@gmail.com | Example sender used in campaign |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
