Belarus-Linked UNC1151 Expands Gmail Phishing Campaign, Targeting 2FA Credentials of Polish Users
The UNC1151 Gmail phishing campaign has emerged as a significant cyber threat, specifically targeting Polish internet users. This campaign marks a notable shift in tactics by attackers, who are now focusing on Gmail accounts and deploying sophisticated phishing pages designed to steal both passwords and two-factor authentication (2FA) credentials. Researchers at CERT Polska have identified this evolution as part of the ongoing activities of the Ghostwriter-linked threat group, which has a history of targeting email users in Poland.
Also known as Ghostwriter and Storm-0257, UNC1151 has been linked to Belarusian state intelligence services and has remained active against Polish targets since the onset of Russia’s full-scale invasion of Ukraine. This connection underscores the geopolitical implications of the campaign, as it aligns with broader state-sponsored cyber activities.
UNC1151 Gmail Phishing Campaign Expands Target Scope
Historically, UNC1151 primarily focused on users of popular Polish email providers such as Onet, Wirtualna Polska, and Interia. However, since March 2026, the group has shifted its focus to Gmail users, launching high-volume phishing operations that occur almost daily during weekdays. CERT Polska researchers have noted that the attackers target a diverse range of individuals, including politicians, public officials, researchers, journalists, law enforcement personnel, and government employees, as well as their professional, familial, or social connections.
The group has also tailored its campaigns to specific professional sectors and geographic regions. In some instances, phishing emails are sent to unintended recipients as attackers attempt to guess email addresses based on names and affiliations.
How the UNC1151 Gmail Phishing Campaign Works
The UNC1151 Gmail phishing campaign employs fraudulent emails that mimic official Gmail security notifications. These messages often alert recipients to suspicious account activity, unauthorized login attempts, or alleged violations of service policies. Victims are urged to act quickly to avoid account suspension or permanent deletion.
Typically, these emails are dispatched from Gmail accounts created specifically for phishing purposes, although attackers occasionally utilize compromised accounts to enhance credibility. Common subject lines include warnings about security alerts, suspicious activity, and account verification requirements.
Embedded links in these emails direct recipients to counterfeit Gmail login pages that closely resemble Google’s legitimate authentication portal. Once users input their credentials, attackers capture both usernames and passwords.
2FA Credential Theft Marks Key Evolution
One of the most alarming developments in this campaign is its capability to harvest two-factor authentication credentials. Unlike previous phishing campaigns that targeted Polish email services, the latest operation includes additional prompts requesting verification codes after the initial login credentials have been entered. If a victim’s account is secured with 2FA, the phishing page automatically displays a form requesting the authentication code.
This approach enables attackers to capture both SMS-based verification codes and codes generated through applications such as Google Authenticator. Researchers have observed that attackers often continue targeting the same victims even after unsuccessful login attempts, sending multiple phishing emails within days to increase pressure and improve the chances of credential theft.
Ghostwriter Phishing Infrastructure Continues to Evolve
The infrastructure supporting this campaign is characterized by constant change. According to CERT Polska, operators utilize domains registered specifically for phishing activities, often leveraging top-level domains such as .icu, .digital, and .top. The group also exploits hosting platforms like Netlify to create deceptive subdomains that imitate account verification services.
Examples of domains used in this campaign include mailverify.digital, verify-check.digital, monitoring-google-konta.netlify.app, and service-auth.netlify.app. Additionally, attackers host fake login panels on compromised websites belonging to legitimate organizations. Instead of replacing the main website, the phishing content is concealed within the compromised infrastructure, allowing attacks to remain undetected for extended periods.
Gmail Phishing Attacks Signal Broader Threat
The rise in Gmail phishing attacks illustrates UNC1151’s continued ability to adapt its tactics while maintaining its long-standing objective of gaining access to email accounts. Once access is achieved, attackers search for sensitive documents, contact lists, and linked services, including social media accounts that can be further compromised. Stolen contacts may also be leveraged to identify additional targets for future phishing campaigns.
While the group’s recent focus has shifted toward Gmail, researchers caution that attacks against users of Polish email providers have not entirely ceased. The findings emphasize the growing sophistication of state-linked phishing operations and highlight the importance of scrutinizing login requests, verifying website domains, and employing strong authentication practices.
As the UNC1151 Gmail phishing campaign continues to evolve, cybersecurity experts anticipate further adaptations designed to bypass defenses and enhance the success rate of credential theft operations.
For more information on this evolving threat landscape, refer to the original reporting source: thecyberexpress.com.
Related
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
