Ghostwriter (UNC1151) Escalates Phishing Attacks with Advanced Gmail Credential Harvesting
CERT Polska has uncovered a significant evolution in the phishing operations of the threat group Ghostwriter (UNC1151), which has shifted from targeting Polish email providers to high-volume Gmail credential harvesting campaigns including the theft of two-factor authentication (2FA) codes. The attacks, active since March 2026, employ sophisticated tactics to bypass security measures and compromise accounts.
Attack Methodology
Ghostwriter’s campaigns begin with polished Polish-language phishing emails, often sent from newly created or compromised Gmail accounts with altered display names to appear legitimate. Messages falsely claim suspicious activity or imminent account suspension, pressuring recipients to act quickly. To evade detection, the group uses BCC distribution, sending identical emails to large batches of targets without revealing recipient lists.
Links in the emails direct victims to fake Gmail login panels hosted on rapidly rotating domains, including abused hosting services (e.g., *.netlify.app) and compromised legitimate websites particularly those of small Polish organizations. Common top-level domains (TLDs) used include .icu, .digital, and .top, with examples like mailverify.digital and monitoring-google-konta.netlify.app. These domains are frequently replaced, with new ones appearing almost daily during active phases.
2FA Bypass: A Critical Advancement
A key innovation in these attacks is the explicit harvesting of 2FA codes. After victims enter their credentials, the fake login panel either automatically attempts a real login or immediately prompts for a one-time code (SMS or app-generated, such as from Google Authenticator). This allows attackers to bypass two-step verification, a security measure that previously thwarted simple credential theft.
Targeting Strategy
Ghostwriter’s campaigns are strategically broad yet precise, focusing on:
- Political actors and public officials
- Journalists and researchers
- Law enforcement personnel
- Professional and familial associates of high-value targets
In some cases, attackers guess email addresses based on common names, leading to collateral phishing attempts. Messages are often tailored by profession or region, with urgent language (e.g., "critical alert" or "imminent suspension") to provoke rapid responses. The group demonstrates persistence, sending multiple follow-ups to the same inboxes within days to increase interaction rates.
Infrastructure and Detection Challenges
UNC1151 operates with a flexible, high-churn infrastructure, leveraging:
- Dedicated phishing domains (frequently under obscure TLDs)
- Abused hosting platforms (e.g., Netlify, compromised websites)
- Rapid domain rotation to evade takedowns
Detection relies on user vigilance noticing mismatched domains, unexpected 2FA prompts, or unsolicited urgency in messages. Organizations are advised to adopt phishing-resistant authentication (e.g., hardware security keys), monitor for credential stuffing and anomalous logins, and implement domain monitoring to identify and neutralize lookalike domains.
CERT Polska’s analysis underscores the group’s adaptability and persistence, highlighting that even non-responsive users may face repeated attacks, increasing the risk of eventual compromise. The campaign serves as a stark reminder that SMS and app-based 2FA are vulnerable to phishing, necessitating stronger security controls.
Source: https://gbhackers.com/fake-gmail-login-panels/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1781613134",
"linkid": "google",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Government, Media, Law Enforcement, '
'Research',
'location': 'Poland',
'type': 'Individuals'},
{'industry': 'Small Polish organizations (compromised '
'websites)',
'location': 'Poland',
'size': 'Small',
'type': 'Organizations'}],
'attack_vector': 'Email (phishing links)',
'data_breach': {'personally_identifiable_information': 'Yes (email addresses, '
'names, 2FA codes)',
'sensitivity_of_data': 'High (email credentials, 2FA codes, '
'potential sensitive communications)',
'type_of_data_compromised': 'Credentials, 2FA codes, '
'personally identifiable '
'information (PII)'},
'date_detected': '2026-03-01',
'description': 'CERT Polska uncovered a significant evolution in the phishing '
'operations of the threat group Ghostwriter (UNC1151), which '
'has shifted from targeting Polish email providers to '
'high-volume Gmail credential harvesting campaigns, including '
'the theft of two-factor authentication (2FA) codes. The '
'attacks employ sophisticated tactics to bypass security '
'measures and compromise accounts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'targeted individuals and organizations',
'data_compromised': 'Gmail credentials, 2FA codes, personally '
'identifiable information (PII)',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to sensitive '
'communications and data',
'systems_affected': 'Email accounts (Gmail), personal and '
'organizational accounts'},
'initial_access_broker': {'entry_point': 'Phishing emails with malicious '
'links',
'high_value_targets': 'Political actors, public '
'officials, journalists, '
'researchers, law enforcement '
'personnel'},
'investigation_status': 'Ongoing',
'lessons_learned': 'SMS and app-based 2FA are vulnerable to phishing; '
'stronger security controls (e.g., hardware security keys) '
'are necessary. Threat actors demonstrate adaptability and '
'persistence in targeting high-value individuals.',
'motivation': 'Credential theft, account compromise, potential espionage or '
'financial gain',
'post_incident_analysis': {'corrective_actions': 'Domain takedowns, user '
'education, adoption of '
'phishing-resistant '
'authentication, enhanced '
'monitoring',
'root_causes': 'Sophisticated phishing tactics, '
'2FA bypass via credential '
'harvesting, abused hosting '
'services, and rapid domain '
'rotation'},
'recommendations': ['Adopt phishing-resistant authentication (e.g., hardware '
'security keys)',
'Monitor for credential stuffing and anomalous logins',
'Implement domain monitoring to identify and neutralize '
'lookalike domains',
'Educate users on phishing awareness and recognizing '
'urgent language in emails',
'Use enhanced monitoring for high-value targets'],
'references': [{'source': 'CERT Polska'}],
'response': {'containment_measures': 'Domain monitoring, phishing-resistant '
'authentication (e.g., hardware security '
'keys), monitoring for credential '
'stuffing and anomalous logins',
'enhanced_monitoring': 'Monitoring for anomalous logins and '
'credential stuffing',
'remediation_measures': 'Neutralizing lookalike domains, user '
'education on phishing awareness'},
'threat_actor': 'Ghostwriter (UNC1151)',
'title': 'Ghostwriter (UNC1151) Escalates Phishing Attacks with Advanced '
'Gmail Credential Harvesting',
'type': 'Phishing',
'vulnerability_exploited': 'Social engineering, 2FA bypass via credential '
'harvesting'}