UNC1151 Ghostwriter Hackers Target Belarusian Politician in Gmail Phishing Campaign

UNC1151, the hacking group widely associated with the Ghostwriter influence campaign, has been linked to a targeted Gmail phishing attempt against Belarusian opposition politician Yuras Hubarevich. The attack used a fake Google security warning to push him toward a credential-harvesting page.

The campaign shows how state-aligned threat actors continue to use simple phishing lures against political figures, civil society targets and regional webmail users. Researchers said the attack was not isolated, but part of a wider phishing infrastructure aimed at users in Belarus and Ukraine.

Hubarevich is a Belarusian opposition politician and leader of the For Freedom movement. The Associated Press reported that Belarusian election officials rejected his attempt to register an initiative group for the 2025 presidential election, which he described as proof that no real opponent of Alexander Lukashenko would be allowed to run.

Why UNC1151 Remains a Political Cyber Threat

UNC1151 has a long history of credential theft and influence operations across Eastern Europe. Mandiant assessed in 2021 that UNC1151 was linked to the Belarusian government and that Ghostwriter operations aligned with Belarusian government interests.

The same report said the group had targeted Ukraine, Lithuania, Latvia, Poland and Germany, along with Belarusian dissidents, media organizations and journalists. That pattern helps explain why a Belarusian pro-democracy politician would fit the group’s long-running target profile.

The European Union also condemned Ghostwriter activity in 2021. In an official Council of the EU declaration, member states said Ghostwriter-linked activity had targeted parliamentarians, officials, politicians, journalists and civil society figures by stealing data from accounts and systems.

Campaign element	Reported detail	Why it matters
Target	Belarusian opposition politician Yuras Hubarevich	Matches UNC1151’s history of targeting Belarusian opposition and regional political figures
Lure	Fake Google account security warning in Russian	Uses urgency and account-access fear to push the victim into action
Redirect	Compromised Ukrainian site leading to a fake Google login page	Helps hide attacker infrastructure behind legitimate-looking web traffic
Collection method	Real-time credential capture through a live connection	Can threaten users who rely on SMS or one-time passwords

How the Gmail Phishing Attempt Worked

The phishing email was written in Russian and warned Hubarevich about suspicious Google account activity. The message urged him to verify his account, a common tactic that pushes victims to act before checking the sender or URL.

When clicked, the link first led to a compromised Ukrainian website. It then redirected the target to a fake Google login page that copied the look and feel of a real account verification flow.

Google’s own account recovery guidance says users should review recent security events and devices directly from their Google Account when they suspect unfamiliar activity. That step avoids trusting links in unexpected warning emails.

Real-Time Phishing Can Defeat Weak MFA

The reported phishing page used a background connection to send anything typed into the fake login form back to the operators in real time. That kind of setup can let attackers capture passwords and one-time codes quickly enough to try account access before the code expires.

This is why SMS-based verification and one-time codes offer less protection against advanced phishing than hardware-backed authentication. A user may still be tricked into typing a valid code into a fake page.

Google recommends security keys as a stronger form of two-step verification. Its security key guidance explains that users can sign in with a physical key, a phone’s built-in security key, or a passkey depending on their setup.

• Do not click login links in unexpected account-warning emails.
• Open Google Account security settings manually from the browser.
• Use passkeys or hardware security keys for high-risk accounts.
• Review recovery email, recovery phone and recent security events.
• Report suspicious political or media-targeting emails to security teams.

Infrastructure Pivots Exposed a Wider Operation

Researchers said the attackers used Bunny CDN to hide the real server addresses behind their phishing pages. A certificate linked to one phishing hostname was reportedly exposed on the IP address 45.194.44.44, hosted in Poland.

That mistake helped investigators pivot to related domains, including names built around terms such as mail, account, security and verification. These naming patterns make fake portals look routine to users who already expect account-warning emails from major providers.

Internet exposure tools such as Censys Search can help researchers map certificates, hosts and shared infrastructure. In this case, certificate and server-fingerprint pivots reportedly led from one phishing page to a broader credential-theft network.

Observed pattern	Defender takeaway
Domains using account, mail and verification language	Block or investigate suspicious domains that imitate login-support workflows
Compromised websites used as redirects	Do not treat a known local website as safe if it redirects to a login page
CDN-backed phishing pages	Look beyond CDN edges and inspect certificate, hostname and page behavior
Real-time credential transmission	Prioritize phishing-resistant MFA for political, media and civil society users

Ukrainian Webmail Users Were Also Targeted

The wider infrastructure reportedly included phishing pages that impersonated Ukrainian online portals such as I.UA, bigmir.net and META.UA. This fits UNC1151’s earlier focus on regional webmail and government-adjacent targets.

Mandiant previously said UNC1151 had registered credential-theft domains spoofing legitimate websites since at least 2016, including regional webmail providers and organizations in Ukraine, Lithuania, Latvia, Poland and Germany. The new campaign appears to follow that same playbook.

MITRE ATT&CK tracks phishing under T1566, describing it as a technique where attackers send messages to trick users into opening malicious links or attachments. The Hubarevich lure fits the credential-harvesting side of that broader technique.

Why Opposition Figures Face Higher Risk

Political figures, journalists and civil society workers face a different threat model from ordinary users. Attackers may not need money from the account. They may want private messages, contacts, unpublished documents or material for later leak-and-amplify operations.

The Associated Press noted that Belarusian authorities have continued a harsh crackdown on opposition since the 2020 election protests. That background makes account security especially important for people linked to opposition movements, independent media or exile organizations.

The Council of the EU said Ghostwriter activity sought to undermine democratic institutions and processes through account compromise, data theft and information manipulation. That combination of phishing and influence operations remains the main risk for high-profile political targets.

What High-Risk Gmail Users Should Do Now

High-risk users should assume that convincing security-warning emails may be hostile, especially if they arrive in Russian, Belarusian, Ukrainian or Polish and ask for urgent login verification. The safest response is to close the email and navigate to the account provider directly.

Google’s hacked-account guidance recommends checking recent security events, reviewing signed-in devices, removing unfamiliar access and enabling two-step verification. These checks help users detect whether a phishing attempt has already led to unauthorized access.

For stronger protection, users should adopt phishing-resistant authentication. Google’s security key guidance offers a practical route for journalists, politicians and activists who face repeated account-takeover attempts.

Security teams can also use Censys Search and similar tools to track shared certificates, repeated page fingerprints and reused phishing infrastructure. Those pivots can turn one suspicious domain into a broader blocklist and investigation lead.

Attribution still requires caution, but the targeting, phishing style and regional focus closely match the historical UNC1151 pattern described by Mandiant and other public sources. The latest campaign shows that Ghostwriter-style credential theft remains a direct threat to Belarusian opposition voices and Ukrainian online services.

FAQ