Full Report
Recently, we have been observing attacks by the UNC1151/Ghostwriter group targeting Gmail accounts. This group has been regularly attacking the mailboxes of Polish citizens for several years, although in the past these attacks focused on other email providers. The techniques used evolve over time, but the core theme of the messages and their objective remain unchanged.
Analysis Summary
# Threat Actor: UNC1151 / Ghostwriter
## Attribution & Identity
- **Name/Alias:** UNC1151, Ghostwriter.
- **Identification:** Identified as an Advanced Persistent Threat (APT) group.
- **Associations:** Historically associated with information operations and credential harvesting campaigns targeting Eastern Europe, specifically Poland.
## Activity Summary
UNC1151 has been consistently targeting Polish citizens for several years. While historically focused on local Polish email providers (Onet, WP, Interia), since **March 2026**, the group has shifted its focus heavily toward **Gmail accounts**. These campaigns are high-intensity, typically occurring on weekdays, and utilize fraudulent security alerts to steal credentials and bypass two-factor authentication (2FA).
## Tactics, Techniques & Procedures
- **Phishing (Spearphishing):** Sending fraudulent emails imitating Gmail administrator communications (e.g., "Critical alert," "New device login detected").
- **Social Engineering:** Using high-pressure tactics like threats of account suspension or permanent deletion to compel user action.
- **Credential Harvesting:** Specifically designed fake login panels to capture both passwords and **2FA tokens**.
- **BCC Distribution:** Use of the Blind Carbon Copy (BCC) mechanism to deliver phishing emails to multiple targets simultaneously while hiding other recipients.
- **Compromised Account Usage:** Utilizing previously compromised accounts with modified display names to send phishing lures, increasing legitimacy.
- **Infrastructure Diversification:** Using a mix of dedicated domains, subdomains on free hosting platforms, and compromised legitimate websites.
## Targeting
- **Sectors:** Political and public life, public administration, law enforcement, academia (researchers), media (journalists), and professional services (translators, court experts).
- **Geography:** Primarily Poland.
- **Victims:** High-profile individuals, their family members, and social associates. Occasionally, unrelated individuals are targeted due to name-guessing or similar email addresses.
## Tools & Infrastructure
- **Phishing Domains (Defanged):**
- mailverify[.]digital
- check-mail-verify[.]biz
- verify-check[.]digital
- **Service Abuse (Defanged):**
- monitoring-google-konta[.]netlify[.]app
- konta-24weryfikacja[.]netlify[.]app
- service-auth[.]netlify[.]app
- **Techniques:** Exploiting vulnerabilities in Polish websites to host phishing panels without altering the main page content to avoid detection.
- **TLDs Used:** `.icu`, `.digital`, `.top`.
## Implications
The shift toward Gmail suggests the actor is following targets who have migrated away from local providers to global platforms. The primary objective is **intelligence collection**: searching compromised mailboxes for contact lists to identify further targets, sensitive documents, and access to linked social media accounts for potential follow-on information operations.
## Mitigations
- **Domain Verification:** Carefully inspect the URL in the address bar; UNC1151 depends on users not noticing the incorrect domain (e.g., netlify.app instead of google.com).
- **Hardware Security Keys:** Use of physical security keys (U2F/FIDO2) which are more resilient against the real-time 2FA interception techniques used by this group.
- **Security Awareness:** Training for high-risk individuals regarding the "Sense of Urgency" tactic used in phishing lures.
- **Incident Reporting:** Reporting suspicious messages to national CSIRTs (e.g., CERT Polska).