Ghostwriter Hackers Target Gmail Users in Sophisticated Phishing Campaign
A state-linked hacker group, Ghostwriter (UNC1151), has intensified its phishing attacks against Gmail users, masquerading as official Google security alerts to steal login credentials and two-factor authentication (2FA) codes. The campaign, active since March 2026, primarily targets Polish individuals in high-profile roles, including politicians, journalists, researchers, public servants, and their associates.
Previously focused on Polish email providers like Onet, Wirtualna Polska, and Interia, Ghostwriter has shifted exclusively to Gmail, deploying new phishing domains almost daily primarily on weekdays. The group’s tactics suggest intelligence-gathering motives, with successful breaches leading to further exploitation, such as hijacking linked social media accounts and exfiltrating sensitive documents.
How the Attack Works
The phishing emails, written in fluent Polish, impersonate Gmail administrator notices, warning of suspicious logins, policy violations, or imminent account suspension. Victims are directed to fake login pages that mimic Gmail’s interface, capturing passwords and critically 2FA codes via SMS or authenticator apps. Attackers often repeatedly target the same accounts, sending multiple messages within days to increase pressure.
Infrastructure & Tactics
Ghostwriter employs dynamically rotated domains (e.g., .icu, .digital, .top) and compromised Polish websites to host phishing pages, often without altering the main site to avoid detection. Some attacks use Netlify-hosted subdomains (e.g., monitoring-google-konta.netlify.app) or dedicated phishing domains (e.g., mailverify.digital). Sender addresses, such as mailsecurenotify@gmail.com, are crafted to appear legitimate.
Broader Impact
While the campaign initially targeted Polish users, Ghostwriter’s broad guessing of email addresses means unrelated inboxes may also receive phishing attempts. CERT Polska (CERT.PL), which documented the attacks, warns that sender display names and urgent security warnings should be treated with skepticism, recommending direct verification via official service URLs.
The group’s Belarusian links and focus on high-value targets underscore the campaign’s role in espionage rather than financial fraud, with each compromised account serving as a gateway for further infiltration.
Source: https://cybersecuritynews.com/ghostwriter-hackers-abuse-gmail-admin-themed-emails/
Grupa Wirtualna Polska cybersecurity rating report: https://www.rankiteo.com/company/wirtualna-polska
Google Polska cybersecurity rating report: https://www.rankiteo.com/company/google-polska
"id": "WIRGOO1781655885",
"linkid": "wirtualna-polska, google-polska",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Government, Media, Research, Public '
'Services',
'location': 'Poland',
'name': 'Polish individuals',
'type': 'Individuals'},
{'customers_affected': 'Gmail users (primarily Polish)',
'industry': 'Technology, Email Services',
'location': 'Global',
'name': 'Google (Gmail)',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Email',
'customer_advisories': 'Users are advised to verify security alerts directly '
'through official Google URLs and treat urgent emails '
'with skepticism.',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Login credentials, 2FA codes, '
'Sensitive documents, Social '
'media account access'},
'date_detected': '2026-03-01',
'description': 'A state-linked hacker group, Ghostwriter (UNC1151), has '
'intensified its phishing attacks against Gmail users, '
'masquerading as official Google security alerts to steal '
'login credentials and two-factor authentication (2FA) codes. '
'The campaign primarily targets Polish individuals in '
'high-profile roles, including politicians, journalists, '
'researchers, public servants, and their associates. The '
'group’s tactics suggest intelligence-gathering motives, with '
'successful breaches leading to further exploitation, such as '
'hijacking linked social media accounts and exfiltrating '
'sensitive documents.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'targeted individuals and organizations',
'data_compromised': 'Login credentials, Two-factor authentication '
'(2FA) codes, Sensitive documents, Social '
'media account access',
'identity_theft_risk': 'High',
'operational_impact': 'Account hijacking, Unauthorized access to '
'sensitive information',
'systems_affected': 'Gmail accounts, Linked social media accounts'},
'initial_access_broker': {'entry_point': 'Phishing emails',
'high_value_targets': 'Polish politicians, '
'journalists, researchers, '
'public servants'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Urgent security warnings and sender display names should '
'be treated with skepticism. Direct verification via '
'official service URLs is recommended.',
'motivation': 'Espionage, Intelligence Gathering',
'post_incident_analysis': {'corrective_actions': 'User education, Enhanced '
'monitoring for phishing '
'domains, Implementation of '
'stricter authentication '
'measures',
'root_causes': 'Social engineering, Lack of user '
'awareness, Use of dynamically '
'rotated phishing domains'},
'recommendations': 'Enhance user awareness training, implement multi-factor '
'authentication (MFA), monitor for phishing domains, and '
'verify security alerts through official channels.',
'references': [{'source': 'CERT Polska (CERT.PL)'}],
'response': {'communication_strategy': 'Public advisories from CERT Polska',
'remediation_measures': 'Direct verification via official '
'service URLs, User awareness training',
'third_party_assistance': 'CERT Polska (CERT.PL)'},
'stakeholder_advisories': 'CERT Polska has issued public warnings about the '
'phishing campaign.',
'threat_actor': 'Ghostwriter (UNC1151)',
'title': 'Ghostwriter Hackers Target Gmail Users in Sophisticated Phishing '
'Campaign',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering, Lack of User Awareness'}