The UNC1151/Ghostwriter group remains one of the most active APT groups monitored by the CERT Polska team. For many years, it has consistently conducted phishing campaigns aimed at gaining access to the email accounts of Polish citizens. Once compromised, attackers search for valuable information on these accounts, such as contact lists (used to identify further targets), sensitive documents, or linked accounts (e.g., social media). These linked accounts can then be taken over.
In previous years, attackers primarily focused on users of Polish email providers such as Onet, Wirtualna Polska, and Interia. Since March 2026, however, the group has been running phishing campaigns targeting Gmail users. These campaigns are carried out with high intensity, mainly on weekdays. Notably, they enable the theft of two-factor authentication (2FA) credentials. In recent weeks, our team has observed the use of new domains serving phishing pages almost daily.
The group’s scope of interest is very broad. It targets individuals involved in political and public life, those in prominent positions, researchers, journalists, employees of public administration and law enforcement, and individuals connected to these groups through family or social relationships. Attackers do not always know the exact owner of the targeted mailbox. Sometimes they attempt to guess the victim’s address, resulting in phishing messages being delivered to unrelated individuals (due to similar names). We also observe campaigns targeting specific regions or professional groups (e.g., translators or court experts).
Example sender addresses and phishing email subjects:
| Sender Name | Email Address | Subject | Translated Subject |
|---|---|---|---|
| Mail Secure | [email protected] | Krytyczny alert | Critical alert |
| Mailer Notification | [email protected] | Wykryto próbę logowania z nowego urządzenia | New device login detected |
| Support Security | [email protected] | Alert bezpieczeństwa | Security alert |
| monitoring konta | [email protected] | Podejrzaną aktywność | Suspicious activity |
| Zespół Poczty | [email protected] | Możemy zablokować konto | Account may be blocked |
| Zespół Poczty | [email protected] | Możemy zablokować konto | Account may be blocked |
| Support Security | [email protected] | Ważna weryfikacja dostępu | Important access verification |
Scam scheme
The UNC1151 group reaches potential victims through fraudulent emails designed to imitate official Gmail administrator communications. These messages are usually sent from Gmail accounts created specifically for this purpose, though occasionally compromised email accounts are used (with the sender’s display name modified).
The emails are written in Polish, generally without obvious language errors, and typically claim suspicious activity, unauthorized login attempts, or violations of service terms. They pressure the recipient to verify the issue under threat of account suspension or permanent deletion.
A link is included in the message, usually leading directly to a fake website imitating the Gmail login panel. Very often, instead of directly addressing the victim, attackers use the BCC (Blind Carbon Copy) mechanism - see example below.
The fake website is displayed in Polish and has undergone minor changes over time. By imitating the login process, it captures the victim’s email address and password. A key development compared to earlier campaigns targeting Polish providers is the ability to steal two-factor authentication (2FA) codes.
Once credentials are entered, attackers attempt to log into the victim’s account automatically. If a second factor is required, the phishing page displays an additional form requesting the code. This allows attackers to capture both SMS-based codes and those generated by applications such as Google Authenticator.
Attackers frequently target the same accounts repeatedly, regardless of whether the victim interacted with the phishing page. In some cases, multiple emails are sent in rapid succession (several within two days) to increase pressure and make the messages harder to ignore. Sometimes, the messages are nearly identical, differing only in the shortened response time before the supposed account block (as shown in the example below).
If attackers fail to access the account despite obtaining credentials, they often send subsequent phishing messages.
Based on our observations, phishing links used in Gmail-targeted campaigns are not unique per recipient. The messages typically do not contain tracking elements to confirm whether they were opened.
Examples of Phishing Messages
Below are sample phishing messages distributed as part of the campaign. The red ellipse highlights the link that redirects to a fake login panel.
Directly addressed message
Message sent using BCC mechanism
Message sent from a compromised account
Example follow-up messages sent to the same recipient
Phishing Flow
Below are the successive stages of credential harvesting after being redirected to the fake login panel. A key warning sign is an incorrect domain visible in the address bar.
Landing page / homepage
Password harvesting
Two-factor authentication harvesting
Infrastructure
UNC1151 dynamically changes the techniques used in its campaigns. Over the past three months, phishing operations have involved both domains registered specifically for phishing purposes (often under TLDs such as .icu, .digital, and .top) and subdomains created using platforms that allow users to host their own websites within a provider’s domain (most commonly *.netlify.app).
Attackers design domain names to align with phishing message content and the email addresses used to distribute those messages. The group also hosts fake login panels on compromised websites, typically belonging to Polish organizations (e.g., compromised through exploited vulnerabilities). As is typical in such incidents, attackers do not replace the main page of the compromised service. This allows the intrusion to remain unnoticed by regular users and site owners.
Example domains used in the campaign
| Type | Domain |
|---|---|
| Dedicated domain | mailverify.digital |
| Dedicated domain | check-mail-verify.biz |
| Dedicated domain | verify-check.digital |
| Netlify service abuse | monitoring-google-konta.netlify.app |
| Netlify service abuse | konta-24weryfikacja.netlify.app |
| Netlify service abuse | service-auth.netlify.app |
Summary
Attacks targeting Gmail accounts at this scale by UNC1151 are a relatively new development; however, the core themes of the messages and their objectives remain unchanged. It is worth emphasizing that although the intensity of previously observed campaigns targeting users of Polish email services (WP, Onet, Interia) has recently decreased, this does not mean the group has completely abandoned such attacks. We encourage you to read our previously published article describing the evolution of UNC1151 techniques and methods across multiple campaigns. The article is available only in Polish, but modern translation tools provide good results.
