A well-known hacker group called UNC1151, also widely known as Ghostwriter, has been caught running a targeted phishing campaign against a prominent Belarusian pro-democracy politician.
The group, which has long been tied to the interests of the Belarusian government and, by extension, Russia, sent a carefully crafted fake email to Yury Hubarevich designed to steal his Gmail credentials.
This latest attack is a sharp reminder of how state-aligned threat actors continue to use simple but effective tricks to silence political opposition voices.
UNC1151 first came into the spotlight in 2020 when it broke into legitimate news and media websites to plant fake stories, earning it the widely used name Ghostwriter.
Since then, the group has stayed very active, running spear-phishing campaigns across Eastern Europe with a particular focus on individuals in Poland and Ukraine.
The attack on Hubarevich fits that familiar pattern, though the scale of what researchers uncovered behind it tells a far bigger story.
Researchers at Censys, a leading internet intelligence platform, said in a report shared with Cyber Security News (CSN) that the phishing attempt against Hubarevich was not a standalone hit but part of a wider credential-theft operation targeting both Belarus and Ukraine.
Using certificate and infrastructure pivot techniques, the team traced the attack back to a broader network of phishing domains actively collecting login details from victims across multiple countries.
The attack began with a phishing email written in Russian, warning Hubarevich of suspicious activity on his Google account and urging him to verify his login details immediately.
This is a classic social engineering trick that relies on urgency and the real fear of losing account access.
The link inside the email directed him to a compromised Ukrainian website, which then forwarded him to a fake Google login page built to look completely real and trustworthy.
What made this attack especially dangerous was a background websocket connection that transmitted anything typed on the fake login page directly to the attackers in real time.
This setup allowed them to bypass SMS-based and one-time password multi-factor authentication, meaning even users with two-step verification enabled were still at risk.
The final screen shown to the victim read, in Russian, “Account verification has been initiated successfully. You’ll receive further information within 24 hours.”
UNC1151 Ghostwriter Hackers Target Belarusian Politician
The attackers used a content delivery network called Bunny CDN to hide the real IP addresses behind their phishing pages, making the infrastructure much harder to trace.
However, investigators found that a certificate tied to one of the phishing hostnames had been publicly visible on the IP address 45.194.44.44, hosted in Poland under Datagear.
That one small operational mistake cracked open the door to a far larger infrastructure discovery.
By following that certificate, researchers mapped out several more phishing domains linked to the same IP address, including mail-secure-login.digital and check-account.digital.
These domain names follow a deliberate pattern, using words like “mail,” “account,” “security,” and “verification” to appear legitimate to an unsuspecting user.
Three additional IP addresses running the same web server fingerprint were also identified, each hosting certificates for more fake login pages.
Multinational Credential Theft Operation Exposed
The broader picture that emerged showed the group actively targeting users of at least three popular Ukrainian online portals, including I.UA, bigmir)net, and META.UA.
Phishing pages mimicking each of these platforms were found active and ready to harvest credentials at the time of the investigation.
CERT Polska and ESET, who track this group under the name FrostyNeighbor, have separately documented very similar campaign patterns in recent months.
For individuals in politically sensitive roles, the best defense starts with strong account hygiene and healthy skepticism toward urgent login requests.
Using hardware security keys instead of SMS-based two-factor authentication is far more resistant to real-time phishing interception of this kind.
Any email arriving in regional languages with an account warning should always be verified through official channels before clicking any link inside it.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 45.197.133[.]104 | UNC1151 phishing infrastructure, Datagear/Poland |
| IP Address | 45.194.44[.]44 | UNC1151 phishing infrastructure, Datagear/Poland |
| IP Address | 45.194.44[.]46 | UNC1151 phishing infrastructure, Datagear/Poland |
| IP Address | 111.88.74[.]246 | UNC1151 phishing infrastructure |
| Domain | mail[.]service-support[.]digital | Phishing domain hosted on 45.197.133[.]104 |
| Domain | accounts-verification[.]cc[.]cd | Phishing domain hosted on 45.197.133[.]104 |
| Domain | mail[.]account-check[.]digital | Phishing domain hosted on 45.197.133[.]104 |
| Domain | verification-service[.]cc[.]cd | Phishing domain hosted on 45.197.133[.]104 |
| Domain | verification-credentials[.]cc[.]cd | Phishing domain hosted on 45.197.133[.]104 |
| Domain | account-email-verification[.]cc[.]cd | Phishing domain hosted on 45.194.44[.]44 |
| Domain | mail-security-login[.]digital | Phishing domain hosted on 45.194.44[.]44 |
| Domain | mail-secure-login[.]digital | Phishing domain hosted on 45.194.44[.]44 |
| Domain | check-account[.]digital | Phishing domain hosted on 45.194.44[.]44 |
| Domain | account-emails-verification[.]cc[.]cd | Phishing domain hosted on 45.194.44[.]44 |
| Domain | account[.]check-profile[.]digital | Phishing domain hosted on 45.194.44[.]44 |
| Domain | mail[.]account-security[.]digital | Phishing domain hosted on 45.194.44[.]46 |
| Domain | mail-alerts[.]cc[.]cd | Phishing domain hosted on 45.194.44[.]46 |
| Domain | mail-verification[.]cc[.]cd | Phishing domain hosted on 45.194.44[.]46 |
| Domain | i-ua[.]cc[.]cd | Impersonation of Ukrainian portal I.UA |
| Domain | bigmir-net[.]cc[.]cd | Impersonation of Ukrainian portal bigmir)net |
| Domain | account-protection-team[.]icu | Phishing domain hosted on 111.88.74[.]246 |
| Domain | support-accounts-checker[.]cc[.]cd | Phishing domain hosted on 111.88.74[.]246 |
| Domain | account-protection-support[.]icu | Phishing domain hosted on 111.88.74[.]246 |
| SHA256 | 2434e1a88cf2effa13fc4eb335560e3cf49790ddd4bd0df7e100de9867a19748 | Certificate hash for mail[.]service-support[.]digital |
| SHA256 | 6542f8fa3e1f00a3c0e9994c34d8b49d2c3d2684cf73c23a0b1030daaaaa4786 | Certificate hash for accounts-verification[.]cc[.]cd |
| SHA256 | cb5230b57589132f63441244183f24ce727d1a2f5454d7636a3548207a5859cc | Certificate hash for mail[.]account-check[.]digital |
| SHA256 | 700ddccaa2aa1c4871f23cc59ba6aefdd7b11f4136f578fd3f40c8d2c762b37c | Certificate hash for verification-service[.]cc[.]cd |
| SHA256 | 84e7c3cfba6b368f75d4124bcf750dce96e71448924aa6b110c08d0d24da6885 | Certificate hash for verification-credentials[.]cc[.]cd |
| SHA256 | c30ccd8d66ea757121c036e76408e8ee9fe122bf4d048e2744abf56ecdd8e019 | Certificate hash for account-email-verification[.]cc[.]cd |
| SHA256 | e86d364d794c7a42d122fdedbddb60b14c815a5708b5b3f4a622d1f66fb3dbba | Certificate hash for mail-security-login[.]digital |
| SHA256 | 3ea96a0086f0540bcd84820a8f65ee6c6df41979497e4291ba8ac59601535d91 | Certificate hash for mail-secure-login[.]digital |
| SHA256 | 3a2cd6a8e2c76c91aa04260df46a95df0e9799100d23cd32fdee9415bf1b3971 | Certificate hash for check-account[.]digital |
| SHA256 | 7a1a3a5f31df23053bfd5a03a63f19dd28561a9e41122d26a5413f46e9160664 | Certificate hash for account-emails-verification[.]cc[.]cd |
| SHA256 | 4b80681cd444cf9679d7e4d715489f6ddbe4580a9d110bd1952e54e8193afefd | Certificate hash for account[.]check-profile[.]digital |
| SHA256 | 0cb6bf1fd758f78f7e78baf4df85b5dbd236232011ed4eed685df852ab70a19a | Certificate hash for mail[.]account-security[.]digital |
| SHA256 | b2fd49c1a72db79ca3be5a6370a353ea6105697b20017606572697c98c3b9629 | Certificate hash for mail-alerts[.]cc[.]cd / i-ua[.]cc[.]cd |
| SHA256 | 9280780cde1623fcb712b3d0f34cacedb77973dc8cac7f01c5338fe6fd22ad5c | Certificate hash for mail-verification[.]cc[.]cd |
| SHA256 | eefc039a84cb1276a8b76e09150d188de3aa262e7c7149e8a3cd1b07eb868460 | Certificate hash for bigmir-net[.]cc[.]cd |
| SHA256 | 5778fb76f3e1024cf3b6b8b298c4ac3607c869d5516ba7f8b274e9709fbfd0a5 | Certificate hash for account-protection-team[.]icu |
| SHA256 | a29de1229b408e47af2a926bce7db5c6bc5d9208f1fc10226748dd65071e064e | Certificate hash for support-accounts-checker[.]cc[.]cd |
| SHA256 | bd90a95c7b698c7680c3c64eb578cdda686dd33029e60ca74b8a67502bab72e9 | Certificate hash for account-protection-support[.]icu |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
