What happened
The UNC1151 threat group, also known as Ghostwriter, was observed running a targeted phishing campaign against Belarusian pro-democracy politician Yury Hubarevich.
The phishing email was written in Russian and warned Hubarevich about suspicious activity on his Google account. The message urged him to verify his login details immediately, using urgency and fear of account loss to push the target toward a fake login flow.
The link in the email sent the target to a compromised Ukrainian website, which then redirected to a fake Google login page designed to look legitimate.
The phishing page used a background websocket connection to transmit anything entered on the page directly to the attackers in real time. This setup could allow the attackers to bypass SMS-based and one-time password multi-factor authentication by capturing credentials and verification codes as the victim entered them.
After submission, the page displayed a Russian-language message telling the victim that account verification had been initiated successfully and that further information would arrive within 24 hours.
Researchers at Censys said the attempted attack against Hubarevich was part of a broader credential-theft operation targeting users in Belarus and Ukraine. By pivoting through certificates and infrastructure, they traced the campaign to a larger network of phishing domains collecting login details across multiple countries.
The attackers used Bunny CDN to hide the real IP addresses behind their phishing pages. However, investigators found that one certificate tied to a phishing hostname had been publicly visible on an IP address hosted in Poland under Datagear.
That infrastructure clue led researchers to additional phishing domains using account security, mail login, and verification-themed names. Several more IP addresses with the same web server fingerprint were also identified, each hosting certificates for fake login pages.
The broader campaign also targeted users of Ukrainian online portals, including I.UA, bigmir)net, and META.UA. Phishing pages impersonating these platforms were active and ready to collect credentials during the investigation.
Who is affected
Yury Hubarevich was directly targeted by the Gmail phishing campaign.
The broader operation affects politically sensitive individuals and organizations in Belarus and Ukraine, especially opposition figures, journalists, activists, government-adjacent personnel, and users of regional email or online portal services.
Users relying on SMS-based or one-time password MFA are also exposed because the phishing infrastructure transmitted entered data in real time, allowing attackers to potentially capture both credentials and MFA codes during the login process.
Why CISOs should care
This campaign shows how state-aligned phishing operations continue to rely on simple but effective account takeover tactics. The attack did not need malware or a technical exploit. It used a convincing account-security lure, a compromised redirect site, and a realistic fake login page.
For CISOs, the real-time credential capture is the most important lesson. SMS codes and one-time passwords can be intercepted if users enter them into attacker-controlled pages. That makes phishing-resistant MFA, such as hardware security keys, especially important for high-risk users.
The infrastructure discovery also matters. The attackers used CDN services and compromised sites to obscure activity, but certificate and hosting artifacts still exposed a broader phishing network. Security teams can use certificate monitoring, domain pattern analysis, and infrastructure pivoting to uncover related phishing assets.
The targeting of a pro-democracy politician also reinforces that identity security is a geopolitical risk. Organizations working with journalists, civil society, public policy, elections, government, or regional advocacy should treat personal email accounts and public-facing identities as part of the threat model.
3 practical actions
- Move high-risk users to phishing-resistant MFA: The campaign could bypass SMS-based and one-time password MFA by capturing codes in real time. CISOs should prioritize hardware security keys or passkeys for executives, political staff, journalists, activists, and employees handling sensitive work.
- Train users to verify account warnings through official channels: The lure warned of suspicious Google account activity and urged immediate verification. Security teams should teach users to avoid clicking links in urgent account-security emails and instead navigate directly to the provider’s official website.
- Monitor phishing infrastructure patterns, not just individual domains: Researchers traced the campaign through certificates, IP addresses, and domain naming patterns. Defenders should look for mail, account, security, and verification-themed domains, suspicious certificate reuse, and redirects through compromised regional websites.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.