Ghostwriter Hackers Steal Gmail Credentials & Abuse Admin-Themed

The state-linked hacking group Ghostwriter has launched targeted phishing attacks against Gmail users. These campaigns employ malicious emails disguised as official Google security alerts.

The campaign is designed to trick recipients into handing over their login credentials and two-factor authentication codes, effectively bypassing one of the most trusted layers of account security that people rely on today.

The group, also tracked as UNC1151, has a long history of targeting Polish citizens through their inboxes. For several years, their operations focused on users of Polish email services like Onet, Wirtualna Polska, and Interia.

Since March 2026, however, the group shifted its focus entirely to Gmail accounts, running campaigns with high intensity, primarily on weekdays, and new phishing domains have been appearing almost every single day.

Analysts at CERT Polska (CERT.PL), the national cybersecurity incident response team operating within the structures of Poland’s National Research Institute, identified and documented this campaign.

According to a report shared with Cyber Security News (CSN), CERT.PL noted that these attacks consistently target individuals in prominent positions, including politicians, researchers, journalists, public servants, and people connected to these groups through family or social ties.

The group’s reach is deliberately wide. Attackers do not always know the exact owner of the targeted inbox and sometimes attempt to guess a victim’s email address, which can result in phishing messages landing in unrelated inboxes with similar names.

CERT.PL also observed campaigns aimed at specific professions such as translators and court experts, suggesting a high degree of deliberate targeting behind each wave of attacks.

The Belarusian-linked threat group appears driven by intelligence gathering rather than financial gain.

Once access to a target’s inbox is secured, attackers search for contact lists, sensitive documents, and linked social media accounts, which can then be taken over as well.

This pattern of follow-on exploitation makes every successful compromise far more damaging than a simple stolen password.

Ghostwriter Hackers Abuse Gmail Admin-Themed Emails

The UNC1151 group reaches potential victims through fraudulent emails designed to imitate official Gmail administrator communications.

These messages are usually sent from Gmail accounts created specifically for this purpose, though compromised accounts with modified display names are occasionally used as well.

The emails are written in Polish without obvious errors and typically warn of suspicious activity, unauthorized logins, or service term violations, pressuring recipients to act quickly under the threat of account suspension or permanent deletion.

Once a target clicks the link inside the email, they are taken to a fake website built to mirror the Gmail login panel exactly. This page captures the victim’s email address and password.

A key development in this campaign, compared to earlier operations targeting Polish email providers, is the ability to also steal two-factor authentication codes.

If a second factor is required, the phishing page presents an additional prompt requesting that code, allowing attackers to intercept both SMS-based codes and those generated by apps like Google Authenticator.

Attackers often target the same accounts repeatedly and sometimes send multiple messages within two days to pile on pressure.

Infrastructure Behind the Campaign

The group dynamically rotates the infrastructure it uses to host phishing pages. Operations have involved dedicated domains registered under TLDs such as .icu, .digital, and .top, as well as subdomains hosted on platforms like Netlify.

Domain names are carefully crafted to align with the message content and the sender address used for delivery.

Ghostwriter also places fake login panels on compromised websites belonging to Polish organizations, doing so without altering the main page to keep the intrusion hidden from both site owners and regular visitors.

CERT.PL strongly advises users to treat any email threatening account deletion or suspension as suspicious until verified. Users should never click links in such messages and should instead go directly to the service by typing its address into the browser.

The report also makes clear that a sender’s display name alone cannot be trusted, and that any email referencing account security issues deserves careful scrutiny before taking any action.

Indicators of Compromise (IoCs):-

The following domains and infrastructure were observed in active use during the Ghostwriter Gmail phishing campaign, as documented by CERT.PL.

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.