UNC1151/Ghostwriter phishing campaign targeting Gmail accounts
ID: 39660f9d-bf2f-58c3-8be3-86983544373a
STIX ID: report--39660f9d-bf2f-58c3-8be3-86983544373a
Feed Name: CERT Polska
UNC1151 (Ghostwriter) has been running high-volume, Polish-language phishing campaigns since March 2026 targeting Gmail users to harvest email credentials and two-factor authentication codes; attackers use convincing administrative lures, dynamic dedicated domains (.digital, .biz, .icu, .top), abused Netlify subdomains, and compromised Polish sites. Targets include political and public figures, journalists, researchers, and public administration contacts, with repeated follow-up messages and non-unique phishing links used to pressure victims; the report provides example sender addresses, sample phishing domains, and a stepwise credential/2FA capture flow.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
