Ghostwriter Hackers Target Gmail Users in Sophisticated Phishing Campaign A state-linked hacker group, Ghostwriter (UNC1151), has intensified its phishing attacks against Gmail users, masquerading as official Google security alerts to steal login credentials and two-factor authentication (2FA) codes. The campaign, active since March 2026, primarily targets Polish individuals in high-profile roles, including politicians, journalists, researchers, public servants, and their associates. Previously focused on Polish email providers like Onet, Wirtualna Polska, and Interia, Ghostwriter has shifted exclusively to Gmail, deploying new phishing domains almost daily primarily on weekdays. The group’s tactics suggest intelligence-gathering motives, with successful breaches leading to further exploitation, such as hijacking linked social media accounts and exfiltrating sensitive documents. ### How the Attack Works The phishing emails, written in fluent Polish, impersonate Gmail administrator notices, warning of suspicious logins, policy violations, or imminent account suspension. Victims are directed to fake login pages that mimic Gmail’s interface, capturing passwords and critically 2FA codes via SMS or authenticator apps. Attackers often repeatedly target the same accounts, sending multiple messages within days to increase pressure. ### Infrastructure & Tactics Ghostwriter employs dynamically rotated domains (e.g., .icu, .digital, .top) and compromised Polish websites to host phishing pages, often without altering the main site to avoid detection. Some attacks use Netlify-hosted subdomains (e.g., monitoring-google-konta.netlify.app) or dedicated phishing domains (e.g., mailverify.digital). Sender addresses, such as [email protected], are crafted to appear legitimate. ### Broader Impact While the campaign initially targeted Polish users, Ghostwriter’s broad guessing of email addresses means unrelated inboxes may also receive phishing attempts. CERT Polska (CERT.PL), which documented the attacks, warns that sender display names and urgent security warnings should be treated with skepticism, recommending direct verification via official service URLs. The group’s Belarusian links and focus on high-value targets underscore the campaign’s role in espionage rather than financial fraud, with each compromised account serving as a gateway for further infiltration.