UNC1151/Ghostwriter phishing campaign targeting Gmail accounts
The UNC1151/Ghostwriter group is conducting targeted phishing campaigns against Gmail accounts of Polish citizens since March 2026. The campaigns focus on individuals in political, public, research, journalistic, administrative, and law enforcement roles. Attackers send fraudulent emails impersonating Gmail administrators, claiming suspicious activity or policy violations to coerce victims into verifying their accounts. The phishing infrastructure captures both login credentials and two-factor authentication codes via fake login panels hosted on dedicated domains, Netlify subdomains, and compromised websites. The campaigns operate mainly on weekdays with new phishing domains appearing almost daily, showing persistent targeting of Polish users.
AI Analysis
Technical Summary
Since March 2026, the UNC1151/Ghostwriter threat actor has been running high-intensity phishing campaigns targeting Gmail accounts of Polish citizens, especially those in sensitive or prominent roles. The attackers impersonate Gmail administrators in emails to pressure victims into account verification, capturing credentials and 2FA codes through fake login pages hosted on various domains and compromised sites. The campaign demonstrates a sustained operational tempo with frequent domain changes and weekday activity. This phishing effort aims to bypass two-factor authentication and steal credentials, leveraging social engineering and infrastructure diversity to evade detection.
Potential Impact
The campaign enables credential theft including two-factor authentication codes, potentially allowing attackers to gain unauthorized access to targeted Gmail accounts. This compromises the confidentiality and integrity of email communications for high-profile Polish individuals in political, public, research, journalistic, administrative, and law enforcement sectors. The persistent and targeted nature of the campaign increases the risk of successful account compromise and subsequent misuse of sensitive information.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Defenders should educate targeted users about phishing tactics, especially emails impersonating Gmail administrators requesting account verification. Users should verify URLs before entering credentials and use additional security measures such as hardware security keys where possible. Monitoring and blocking the identified phishing domains (mailverify.digital, check-mail-verify.biz, verify-check.digital) and related infrastructure can help reduce exposure. Since this is a social engineering attack, user awareness and cautious handling of suspicious emails are critical.
Affected Countries
Poland
Indicators of Compromise
- domain: mailverify.digital
- domain: check-mail-verify.biz
- domain: verify-check.digital
UNC1151/Ghostwriter phishing campaign targeting Gmail accounts
Description
The UNC1151/Ghostwriter group is conducting targeted phishing campaigns against Gmail accounts of Polish citizens since March 2026. The campaigns focus on individuals in political, public, research, journalistic, administrative, and law enforcement roles. Attackers send fraudulent emails impersonating Gmail administrators, claiming suspicious activity or policy violations to coerce victims into verifying their accounts. The phishing infrastructure captures both login credentials and two-factor authentication codes via fake login panels hosted on dedicated domains, Netlify subdomains, and compromised websites. The campaigns operate mainly on weekdays with new phishing domains appearing almost daily, showing persistent targeting of Polish users.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Since March 2026, the UNC1151/Ghostwriter threat actor has been running high-intensity phishing campaigns targeting Gmail accounts of Polish citizens, especially those in sensitive or prominent roles. The attackers impersonate Gmail administrators in emails to pressure victims into account verification, capturing credentials and 2FA codes through fake login pages hosted on various domains and compromised sites. The campaign demonstrates a sustained operational tempo with frequent domain changes and weekday activity. This phishing effort aims to bypass two-factor authentication and steal credentials, leveraging social engineering and infrastructure diversity to evade detection.
Potential Impact
The campaign enables credential theft including two-factor authentication codes, potentially allowing attackers to gain unauthorized access to targeted Gmail accounts. This compromises the confidentiality and integrity of email communications for high-profile Polish individuals in political, public, research, journalistic, administrative, and law enforcement sectors. The persistent and targeted nature of the campaign increases the risk of successful account compromise and subsequent misuse of sensitive information.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Defenders should educate targeted users about phishing tactics, especially emails impersonating Gmail administrators requesting account verification. Users should verify URLs before entering credentials and use additional security measures such as hardware security keys where possible. Monitoring and blocking the identified phishing domains (mailverify.digital, check-mail-verify.biz, verify-check.digital) and related infrastructure can help reduce exposure. Since this is a social engineering attack, user awareness and cautious handling of suspicious emails are critical.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cert.pl/en/posts/2026/06/UNC1151-gmail-campaign/"]
- Adversary
- Ghostwriter
- Pulse Id
- 6a2c3a96a7d09d029d6f4a35
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainmailverify.digital | — | |
domaincheck-mail-verify.biz | — | |
domainverify-check.digital | — |
Threat ID: 6a3048390b89be68887502eb
Added to database: 6/15/2026, 6:45:13 PM
Last enriched: 6/15/2026, 7:00:14 PM
Last updated: 6/16/2026, 6:30:18 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.