logo

Belarus-Linked UNC1151 Launches Gmail Phishing Campaign to Steal 2FA Codes

ID: 3ace23dc-f270-51d2-aaff-764146596481

STIX ID: report--3ace23dc-f270-51d2-aaff-764146596481

Feed Name: The Cyber Express

Threat Score
85/100

Date Published: 2026-06-16

Date Updated: 2026-06-16

Author: Samiksha Jain

...
...

CERT Polska reports that UNC1151 (Ghostwriter), a Belarus-linked APT, has shifted from targeting Polish webmail providers to a high-volume Gmail phishing campaign that actively harvests passwords and two-factor authentication codes via convincing fake Gmail login pages, deceptive domains (e.g., .digital, .icu, Netlify subdomains) and compromised sites, targeting politicians, officials, journalists, researchers and their contacts.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.