In a recent development within the cybersecurity landscape, the hacking group known as Ghostwriter has intensified its focus on attacking Gmail users. This campaign involves sending deceptive emails that mimic official Google security alerts, aiming to harvest user credentials and bypass two-factor authentication (2FA).
Targeted Phishing Campaigns
The Ghostwriter group, also identified as UNC1151, has a history of targeting Polish email users, but has now shifted its attention to Gmail since March 2026. These attacks are primarily executed on weekdays with new phishing domains emerging frequently. The operation is characterized by its focus on individuals in influential roles, such as politicians, researchers, and journalists.
Analysts from CERT Polska have meticulously documented these activities. Their reports indicate that the group employs a wide-reaching strategy, often guessing email addresses to extend their reach, resulting in phishing messages occasionally arriving in unrelated inboxes.
Phishing Tactics and Techniques
Ghostwriter’s emails are crafted to resemble authentic Gmail administrator communications, often sent from specially created or compromised accounts with convincing Polish-language content. The messages typically warn of suspicious account activity, urging recipients to respond promptly to avoid account suspension or deletion.
Once a recipient clicks the link within these emails, they are directed to a fraudulent website that imitates the Gmail login interface. This site captures the user’s login credentials and, if applicable, requests their 2FA code, enabling attackers to intercept security codes from SMS or authentication apps.
Infrastructure and Preventative Measures
The infrastructure supporting these phishing efforts includes domains registered under extensions like .icu, .digital, and .top, alongside subdomains hosted on platforms such as Netlify. Ghostwriter’s strategy also involves using compromised Polish websites to host fake login panels, avoiding detection by maintaining the original site appearance.
CERT.PL advises users to remain cautious of emails threatening account suspension or deletion. Such messages should be treated as suspicious, and users are encouraged to verify the authenticity of the communication by visiting the service’s website directly through their browser.
In conclusion, the Ghostwriter campaign highlights the persistent threat posed by sophisticated phishing strategies. Users are urged to stay vigilant and adopt robust security practices to safeguard their personal and professional data against these evolving cyber threats.
