Belarus-Linked Ghostwriter Targets Polish Officials via Gmail

Poland's national CERT issued a warning about an intensifying phishing campaign by Ghostwriter, a threat actor linked to Belarus, that has shifted focus to personal Gmail accounts of senior government officials and their families. The operation marks a tactical pivot from targeting institutional email to personal accounts that often lack enterprise security controls.

New phishing domains have been appearing almost daily since March, according to CERT Polska.

Campaign Targets and Tactics

The operation—tracked as UNC1151 by Mandiant—has historically focused on compromising work accounts hosted by Polish email providers. Since March 2026, the group shifted entirely to Gmail accounts, running high-intensity campaigns primarily on weekdays.

Targets include individuals in political and public life: government officials, researchers, journalists, public administration employees, and law enforcement personnel. The attackers also pursue family members and social contacts of primary targets, likely seeking secondary access paths or leverage for social engineering.

The phishing messages impersonate official Gmail administrator communications, claiming suspicious activity, unauthorized login attempts, or service term violations. The language creates urgency, with some campaigns sending multiple rapid-succession emails to the same target with decreasing response deadlines.

2FA Credential Theft

What distinguishes this campaign is its ability to capture two-factor authentication codes. The fake login pages harvest not just passwords but also SMS verification codes and authenticator app outputs in real-time, enabling immediate account takeover.

This technique—sometimes called real-time phishing or adversary-in-the-middle phishing—has become standard among sophisticated threat actors. We've seen similar approaches in other nation-state campaigns targeting high-value accounts.

Infrastructure and IOCs

Ghostwriter's phishing infrastructure relies on a mix of dedicated malicious domains and abused legitimate services. CERT Polska's advisory identified common patterns:

Domain TLDs frequently used:

• .icu
• .digital
• .biz
• .top

Legitimate service abuse:

• Netlify subdomains (*.netlify.app)
• Compromised Polish organization websites hosting fake login panels

Example malicious domains:

• mailverify[.]digital
• check-mail-verify[.]biz
• verify-check[.]digital
• monitoring-google-konta[.]netlify.app
• konta-24weryfikacja[.]netlify.app

The attackers distribute phishing messages using both newly created accounts and compromised email accounts as senders, making source-based filtering difficult.

Attribution and Context

UNC1151/Ghostwriter has been linked to Belarusian intelligence services. The group gained prominence during the 2020 Belarusian protests and has since maintained focus on Polish targets, likely reflecting geopolitical tensions between the two countries.

The shift to personal Gmail accounts may indicate that enterprise security improvements have made institutional targets harder to compromise. Personal accounts typically lack advanced threat protection, security key requirements, and monitoring that would trigger alerts on suspicious logins.

Defensive Recommendations

For potential targets:

1. Enable hardware security keys as your second factor—they resist real-time phishing attacks that SMS and authenticator apps cannot
2. Verify sender domains carefully before clicking any links, especially those claiming account issues
3. Access Gmail directly by typing the URL rather than following email links
4. Report suspicious messages to incydent.cert.pl and Google's abuse reporting

Organizations with personnel in targeted categories should consider enrolling high-risk users in Google's Advanced Protection Program, which requires hardware keys and applies additional verification to sensitive actions.

The persistence of Ghostwriter's operations—running for months with daily domain registration—suggests well-resourced infrastructure and ongoing operational commitment. Polish officials and those connected to them should assume they remain active targets.