THE UNC1151 phishing campaign, directed by the Ghostwriter threat actor, targets Belarusian politicians and Ukrainian web portals through spear-phishing tactics. The campaign involves fake Gmail alerts leading victims to a compromised Ukrainian site that clones a Google login page. This method captures user credentials in real-time, bypassing multi-factor authentication.
Security researchers have traced the campaign's infrastructure back to legitimate content delivery networks, revealing a broad scale of operations affecting thousands of accounts. To protect against such threats, users are advised to verify email sources, check URLs before entering passwords, and organizations should implement hardware security keys.