CERT Polska: UNC1151/Ghostwriter shifts to Gmail with real-time 2FA-relay phishing against officials and public administration
CERT Polska (NASK) reports that UNC1151/Ghostwriter — the Belarus-linked cluster that for years phished Polish-provider webmail (Onet, WP, Interia) — has since March 2026 shifted at high, near-daily intensity to Gmail accounts, with new phishing domains appearing almost daily (CERT Polska, 2026-07-08). The lure imitates a Gmail security/administrator notice ("suspicious activity", "account may be blocked") written in error-free Polish and sent from purpose-created Gmail accounts or compromised mailboxes with a spoofed display name, frequently via BCC to obscure the target list. Targeting is broad — political and public-life figures, senior officials, researchers, journalists, public-administration and law-enforcement staff, and their family and social contacts — with some campaigns narrowed to specific professional groups such as translators and court experts.
The core technical escalation over prior campaigns is a real-time second-factor relay: after harvesting the password, the fake login panel displays a second form requesting the TOTP/SMS code, which the operators feed into an automated login against the real account, defeating both app-based (Google Authenticator) and SMS-based factors (CERT Polska, 2026-07-08). Infrastructure mixes dedicated phishing domains on .icu/.digital/.top TLDs with abuse of *.netlify.app subdomains, plus fake panels planted on compromised Polish websites whose main pages are left untouched to avoid tipping off the site owner. The initial lure maps to T1566.002 Phishing: Spearphishing Link; the live-relay capture is best described qualitatively (CERT Polska does not name specific AitM tooling).
Since March 2026, however, the group has been running phishing campaigns targeting Gmail users. These campaigns are carried out with high intensity, mainly on weekdays. Notably, they enable the theft of two-factor authentication (2FA) credentials.
If a second factor is required, the phishing page displays an additional form requesting the code. This allows attackers to capture both SMS-based codes and those generated by applications such as Google Authenticator.
Defender actions
- Enforce FIDO2/WebAuthn hardware-bound second factors for any staff whose Google/Gmail identity intersects public-administration, law-enforcement or watchlisted-profession status — real-time relay defeats TOTP and SMS OTP.
- Hunt mail-gateway logs for Gmail-lookalike sender display names on newly-registered .icu/.digital/.top domains and *.netlify.app subdomains; alert on a login to a user's account from an unfamiliar ASN occurring seconds after that user visits a flagged phishing URL.
Sources
Entities & scope
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.