All incidents

UNC1151 Ghostwriter phishing campaign targets Belarus, Ukraine and Polish elites

incidentopenJun 19, 2026 — Jul 1, 2026
UNC1151 Ghostwriter phishing campaign targets Belarus, Ukraine and Polish elites

THE Ghostwriter threat actor, tracked as UNC1151, has launched a spear‑phishing operation that impersonates Gmail security alerts to steal credentials from Belarusian politicians, Ukrainian web‑portal administrators and Polish senior officials. The campaign began in mid‑June 2026 and remained active through early July, using fraudulent emails that claim a sign‑in attempt was blocked and urging recipients to verify their accounts. By directing victims to a look‑alike Google login page hosted on a compromised Ukrainian domain, the attackers harvest usernames and passwords in real time, effectively sidestepping multi‑factor protection. Censys researchers first documented the activity.

The malicious messages contain a link that appears to lead to Google’s account‑recovery page but actually redirects to a server delivering a cloned login interface. This replica page captures the entered credentials and immediately forwards them to the attacker’s backend, allowing the session to be hijacked before a second‑factor code can be entered. Infrastructure analysis shows the fraudulent sites are hosted on legitimate content delivery networks, which helps the malicious traffic blend with normal web traffic and complicates detection. SecurityOnline detailed the technical flow.

Observers note that the actors frequently rotate the domains used for the phishing pages, often registering new subdomains under compromised Ukrainian sites or abusing trusted cloud services to avoid blocklists. Each wave of emails is sent in bursts, with slight variations in the subject line and sender address to evade signature‑based filters. The use of trusted CDN endpoints means that traditional URL‑reputation tools may initially rate the links as benign, giving the campaign a longer window of effectiveness. CERT Polska highlighted these tactics.

CERT Polska’s advisory, released in late June 2026, links the activity to the Belarus‑associated Ghostwriter group and warns that the operation has been underway since at least March of this year, focusing on high‑value targets such as government officials, journalists and civil‑society leaders. The agency reports that the attackers seek not only passwords but also address books, stored documents and any data synchronized with the compromised Gmail accounts. The persistent nature of the campaign suggests a strategic intelligence‑gathering motive rather than opportunistic crime. The full CERT Polska notice is available here.

Because the phishing pages mimic a trusted service and are served through reputable delivery networks, traditional email gateways and web proxies may fail to flag the malicious links, allowing thousands of attempts to reach user inboxes. Successful compromise of elite accounts could provide adversaries with direct access to diplomatic correspondence, policy drafts and personal communications, thereby supporting espionage or influence operations.

The campaign’s focus on NATO‑adjacent states underscores its alignment with broader geopolitical interests. No CVE identifiers are associated with this activity, as the abuse relies on social engineering rather than software vulnerabilities.

Defenders should advise users to never follow links in unsolicited security alerts and instead navigate to Gmail by typing the address manually or using a trusted bookmark. Enforcing phishing‑resistant multi‑factor authentication such as hardware security keys can prevent session hijacking even if credentials are stolen. Organizations should monitor DNS queries for requests to newly registered or atypical domains, block traffic to known malicious CDN paths and run regular awareness training that emphasizes checking the sender’s address and the exact URL before entering any password.

Intelligence briefing updated Jul 1, 2026

Ghostwriter
Root sourcecensys.com
Timeline Coverage

Swipe to explore timeline