Фото: Arget / Unsplash.com
The Belarus-linked hacking group UNC1151, also known as Ghostwriter, has been conducting phishing attacks against Gmail users since March 2026. The large-scale phishing campaign was reported by Poland’s cyber incident response centre, CERT Polska.
According to experts, Ghostwriter remains one of the most active cyber espionage groups targeting Polish citizens. While previous campaigns primarily focused on users of Polish email services such as Onet, Wirtualna Polska and Interia, the attackers have now shifted their attention to Gmail accounts. New domains used in the attacks are being registered almost daily.
“The group targets people involved in political activity, socially active citizens, individuals holding prominent positions, academics, journalists, employees of government institutions and security services, as well as other people connected to them through family or personal relationships.
The attackers do not always know who owns the email account to which they send phishing messages. Sometimes they attempt to guess the email address of an intended target, resulting in malicious emails reaching unrelated individuals with matching names and surnames,” CERT Polska said.
The primary objective of the campaign is to gain full access to victims’ email accounts. To achieve this, attackers send messages disguised as official Gmail security notifications. The emails warn of suspicious activity, attempted logins or the possible suspension of an account.
Clicking on a link in the message leads users to a fake login page that imitates Gmail’s interface. After entering their username and password, victims are asked to provide a two-factor authentication code. This allows the attackers to intercept not only login credentials but also additional security measures, including SMS verification codes and one-time passwords generated by authentication applications.
According to Polish experts, once email accounts are compromised, the group searches them for contacts, documents and information about linked accounts that may be used in further cyber operations and intelligence-gathering activities.
CERT Polska said the current campaign demonstrates an expansion in Ghostwriter’s capabilities and operational scale. Users are advised to exercise particular caution with emails concerning account security issues and to avoid entering credentials on pages accessed through links contained in email messages.
The warning follows reports of a cyber espionage Ghostwriter campaign targeting Ukrainian government institutions. According to investigators, the attackers collect information about targeted systems, including usernames, computer names, operating system versions, device uptime and lists of running processes. After analysing the data, they may obtain remote control of the system and use it for espionage purposes.