A state-linked hacker group known as Ghostwriter has launched a wave of targeted phishing attacks aimed at Gmail users, disguising malicious emails as official security alerts from Google.
The campaign is designed to trick recipients into handing over their login credentials and two-factor authentication codes, effectively bypassing one of the most trusted layers of account security that people rely on today.
The group, also tracked as UNC1151, has a long history of targeting Polish citizens through their inboxes. For several years, their operations focused on users of Polish email services like Onet, Wirtualna Polska, and Interia.
Since March 2026, however, the group shifted its focus entirely to Gmail accounts, running campaigns with high intensity, primarily on weekdays, and new phishing domains have been appearing almost every single day.
Analysts at CERT Polska (CERT.PL), the national cybersecurity incident response team operating within the structures of Poland’s National Research Institute, identified and documented this campaign.
According to a report shared with Cyber Security News (CSN), CERT.PL noted that these attacks consistently target individuals in prominent positions, including politicians, researchers, journalists, public servants, and people connected to these groups through family or social ties.
The group’s reach is deliberately wide. Attackers do not always know the exact owner of the targeted inbox and sometimes attempt to guess a victim’s email address, which can result in phishing messages landing in unrelated inboxes with similar names.
CERT.PL also observed campaigns aimed at specific professions such as translators and court experts, suggesting a high degree of deliberate targeting behind each wave of attacks.
The Belarusian-linked threat group appears driven by intelligence gathering rather than financial gain.
Directly addressed message (Source – Cert.PL)
Once access to a target’s inbox is secured, attackers search for contact lists, sensitive documents, and linked social media accounts, which can then be taken over as well.
This pattern of follow-on exploitation makes every successful compromise far more damaging than a simple stolen password.
Ghostwriter Hackers Abuse Gmail Admin-Themed Emails
The UNC1151 group reaches potential victims through fraudulent emails designed to imitate official Gmail administrator communications.
These messages are usually sent from Gmail accounts created specifically for this purpose, though compromised accounts with modified display names are occasionally used as well.
The emails are written in Polish without obvious errors and typically warn of suspicious activity, unauthorized logins, or service term violations, pressuring recipients to act quickly under the threat of account suspension or permanent deletion.
Once a target clicks the link inside the email, they are taken to a fake website built to mirror the Gmail login panel exactly. This page captures the victim’s email address and password.
Message sent using BCC mechanism (Source – Cert.PL)
A key development in this campaign, compared to earlier operations targeting Polish email providers, is the ability to also steal two-factor authentication codes.
If a second factor is required, the phishing page presents an additional prompt requesting that code, allowing attackers to intercept both SMS-based codes and those generated by apps like Google Authenticator.
Attackers often target the same accounts repeatedly and sometimes send multiple messages within two days to pile on pressure.
Infrastructure Behind the Campaign
The group dynamically rotates the infrastructure it uses to host phishing pages. Operations have involved dedicated domains registered under TLDs such as .icu, .digital, and .top, as well as subdomains hosted on platforms like Netlify.
Domain names are carefully crafted to align with the message content and the sender address used for delivery.
Ghostwriter also places fake login panels on compromised websites belonging to Polish organizations, doing so without altering the main page to keep the intrusion hidden from both site owners and regular visitors.
CERT.PL strongly advises users to treat any email threatening account deletion or suspension as suspicious until verified. Users should never click links in such messages and should instead go directly to the service by typing its address into the browser.
The report also makes clear that a sender’s display name alone cannot be trusted, and that any email referencing account security issues deserves careful scrutiny before taking any action.
Indicators of Compromise (IoCs):-
The following domains and infrastructure were observed in active use during the Ghostwriter Gmail phishing campaign, as documented by CERT.PL.
TypeIndicatorDescriptionDomainmailverify.digitalDedicated phishing domainDomaincheck-mail-verify.bizDedicated phishing domainDomainverify-check.digitalDedicated phishing domainNetlify Subdomainmonitoring-google-konta.netlify.appNetlify-hosted phishing pageNetlify Subdomainkonta-weryfikacja.netlify.appNetlify-hosted phishing pageNetlify Subdomainservice-auth.netlify.appNetlify-hosted phishing pagePhishing Page Path/landing-page / homepageCredential harvesting landing page (phishing flow stage 1)Phishing Page PathPassword harvesting pagePassword capture stage in phishing flowPhishing Page Path2FA harvesting pageTwo-factor authentication code capture stageSender Addressmailsecurenotify@gmail.comExample sender used in campaign (admin-themed)Sender Addressmailersupport@gmail.comExample sender used in campaignSender Addressmonitoring.konta@gmail.comExample sender used in campaign
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Ghostwriter Hackers Abuse Gmail Admin-Themed Emails to Steal Credentials and 2FA Codes appeared first on Cyber Security News.
