The UNC1151/Ghostwriter group is conducting high-intensity phishing campaigns targeting Gmail accounts of Polish citizens since March 2026. The campaigns primarily target individuals in political and public life, prominent positions, researchers, journalists, public administration and law enforcement employees, and their associates. Attackers use fraudulent emails impersonating Gmail administrators, claiming suspicious activity or policy violations to pressure victims into verifying their accounts. The phishing infrastructure captures login credentials and two-factor authentication codes through fake login panels. The group utilizes dedicated domains, Netlify subdomains, and compromised websites to host phishing pages. Campaigns run primarily on weekdays with new domains appearing almost daily, demonstrating persistent operational tempo against Polish targets.