The UNC1151 Gmail phishing campaign has emerged as a cyber threat targeting Polish internet users, with attackers now focusing on Gmail accounts and deploying phishing pages capable of stealing both passwords and two-factor authentication (2FA) credentials. According to researchers at CERT Polska, the campaign marks a notable evolution in the tactics of the Ghostwriter-linked threat group, which has spent years targeting email users across Poland.
Also tracked as Ghostwriter and Storm-0257, UNC1151 has been linked by cybersecurity researchers to Belarusian state intelligence services and has remained active against Polish targets since Russia’s full-scale invasion of Ukraine.
UNC1151 Gmail Phishing Campaign Expands Target Scope
For years, UNC1151 primarily targeted users of popular Polish email providers including Onetpasswords, Wirtualna Polska, and Interia. Since March 2026, however, the group has shifted its attention to Gmail users, launching high-volume phishing operations that run almost daily during weekdays.
CERT Polska researchers said the attackers target a wide range of individuals, including politicians, public officials, researchers, journalists, law enforcement personnel, government employees, and people connected to them through professional, family, or social relationships.
The group also conducts campaigns against specific professional sectors and geographic regions. In some cases, phishing emails are sent to unintended recipients because attackers attempt to guess email addresses based on names and affiliations.
How the UNC1151 Gmail Phishing Campaign Works
The UNC1151 Gmail phishing campaign relies on fraudulent emails designed to resemble official Gmail security notifications. The messages often warn recipients about suspicious account activity, unauthorized login attempts, or alleged violations of service policies.
Victims are urged to act quickly to avoid account suspension or permanent deletion.
The emails are typically sent from Gmail accounts created specifically for phishing operations, although attackers occasionally use compromised accounts to increase credibility. Common subject lines include warnings about security alerts, suspicious activity, and account verification requirements.
Embedded links direct recipients to fake Gmail login pages that closely imitate Google’s legitimate authentication portal. Once users enter their credentials, attackers capture both usernames and passwords.
2FA Credential Theft Marks Key Evolution
One of the most concerning developments in the campaign is its ability to harvest two-factor authentication theft credentials.
Unlike earlier phishing campaigns targeting Polish email services, the latest operation includes additional prompts requesting verification codes after login credentials have been entered. If a victim’s account is protected by 2FA, the phishing page automatically displays a form requesting the authentication code.
This enables attackers to steal both SMS-based verification codes and codes generated through applications such as Google Authenticator.
Researchers noted that attackers frequently continue targeting the same victims even after unsuccessful login attempts. Multiple phishing emails may be delivered within days to increase pressure and improve the chances of credential theft.
Ghostwriter Phishing Infrastructure Continues to Evolve
The campaign relies on a constantly changing phishing infrastructure.
According to CERT Polska, operators use domains registered specifically for phishing activities, often leveraging top-level domains such as .icu, .digital, and .top. The group also abuses hosting platforms such as Netlify by creating deceptive subdomains that imitate account verification services.
Examples of domains observed in the campaign include mailverify.digital, verify-check.digital, monitoring-google-konta.netlify.app, and service-auth.netlify.app.
In addition, attackers host fake login panels on compromised websites belonging to legitimate organizations. Rather than replacing the main website, the phishing content is hidden within the compromised infrastructure, allowing attacks to remain undetected for extended periods.
Gmail Phishing Attacks Signal Broader Threat
Security researchers warn that the increase in Gmail phishing attacks demonstrates UNC1151’s continued ability to adapt its tactics while maintaining its long-standing objective of gaining access to email accounts.
Once access is obtained, attackers search for sensitive documents, contact lists, and linked services, including social media accounts that can be further compromised. Stolen contacts may also be used to identify additional targets for future phishing campaigns.
Although the group’s recent focus has shifted toward Gmail, researchers caution that attacks against users of Polish email providers have not disappeared entirely.
The findings highlight the growing sophistication of state-linked phishing operations and reinforce the importance of scrutinizing login requests, verifying website domains, and protecting accounts with strong authentication practices.
As the UNC1151 Gmail phishing campaign continues to evolve, cybersecurity experts expect further adaptations designed to bypass defenses and increase the success rate of credential theft operations.
