UNC1151 ‘Ghostwriter’ Phishing Campaign Hijacks Gmail Accounts and 2FA Codes

Poland’s national cyber team has sounded the alarm. A fresh UNC1151 Gmail phishing campaign is hunting credentials from high-profile targets. According to CERT Polska, the group behind it, also known as Ghostwriter, “remains one of the most active APT groups” it tracks. Since March 2026, the actors have aimed squarely at Gmail users. Once inside, they loot contacts, documents, and linked accounts.

From Polish Inboxes to Gmail

For years, Ghostwriter chased accounts on Polish providers like Onet, WP, and Interia. Now the focus has shifted. The UNC1151 Gmail phishing operation runs with high intensity, mostly on weekdays. Moreover, CERT Polska reports “new domains serving phishing pages almost daily.”

The targeting is deliberate, not random. The group pursues politicians, journalists, researchers, and public officials. It also chases their families and close contacts. CERT Polska has even spotted waves aimed at specific professions, such as translators and court experts. Sometimes, however, attackers simply guess addresses, so messages reach unrelated people with similar names.

A Belarus-Linked Threat

Attribution points east. Researchers tie UNC1151, also tracked as Storm-0257, to Belarusian state intelligence. The group has stayed active against Polish targets since Russia’s invasion of Ukraine. Beyond stolen mailboxes, it runs influence and disinformation operations. So this UNC1151 Gmail phishing wave likely serves espionage, not profit.

Stealing the Second Factor

The emails pose as official Google security alerts. Written in fluent Polish, they warn of suspicious logins or looming account deletion. These messages generally avoid obvious language errors, which makes them convincing. Then they pressure the victim to “verify” through a linked page. Often, attackers hide recipients using the BCC field.

That link leads to a fake Gmail login panel. There, the page harvests the email address and password. Crucially, this campaign goes further than older ones. It can capture two-factor authentication codes too. As a result, attackers grab both SMS codes and Google Authenticator tokens in real time.

Persistent and Aggressive

The attackers rarely give up after one try. Instead, they send repeated messages, sometimes several within two days. Each follow-up shortens the supposed deadline to crank up pressure. If credentials fail, more phishing emails soon follow.

Rotating Infrastructure

Ghostwriter changes its tooling constantly. It registers throwaway domains under TLDs like .icu, .digital, and .top. Additionally, it abuses hosting services, especially *.netlify.app subdomains. The group even hides fake panels on compromised Polish websites without touching the main page.

How to Stay Safe

The defenses are straightforward. First, never enter credentials on a page reached through an email link. Instead, type the service address directly. CERT Polska notes that “a key warning sign is an incorrect domain visible in the address bar.” Enabling phishing-resistant keys, such as passkeys, adds a stronger layer than SMS codes. Above all, treat any account-deletion threat with suspicion.