Prepared by: RESIDENT.NGO ThreatLab
Incident Date: May 29, 2026
Publication Date: June 4, 2026
Verdict: Adversary-in-the-Middle (AiTM) phishing that steals Google usernames, passwords, and one-time 2FA codes in real time. Google Threat Intelligence matched the infrastructure to UNC1151, a Belarus-linked espionage cluster associated with Ghostwriter activity.
Target: Yury Hubarevich — Coordinator of the Personnel Reserve initiative, Chairman of the Movement “For Freedom”, and member of the Coordination Council of Belarus. (Published with his permission; his email address is redacted.)
What happened
On 29 May 2026, an individual involved in the Belarusian democratic movement received an email in Russian pretending to be from Google. It claimed the account showed “suspicious activity” and would be deleted within 24 hours unless it was “verified.” The target recognized the message as suspicious and shared a sample with RESIDENT.NGO ThreatLab. We confirmed it was a phishing attempt and performed further investigation and attribution.
Why this attack is dangerous
The email link first sends the victim through a compromised third-party website and then to a fake Google sign-in page that closely copies the real one. Whatever the victim types is relayed to the attacker in real time, including the one-time 2FA code. The attacker can immediately use those details to sign in to the real account. Because the code is relayed live, SMS codes and authenticator-app codes do not stop this kind of attack. Phishing-resistant sign-in methods such as passkeys or FIDO2 security keys do.
Who was targeted, and by whom
The real recipient was hidden in Bcc, so the total recipient count is unknown. The actual target is a senior Belarusian political figure. Google Threat Intelligence matched the phishing domain to UNC1151 with high confidence. Mandiant describes UNC1151 as a Belarus-linked espionage cluster associated with Ghostwriter activity and known for credential-theft campaigns against Ukraine, the Baltics, Poland, Germany, and Belarusian opposition and civil society (Google/Mandiant attribution; Google TAG / Mandiant on Ghostwriter). The target profile is therefore consistent with the actor’s known targets.
Figure 6: Google Threat Intelligence attribution linking the phishing domain check-profile[.]digital to UNC1151
How to recognize an attack like this:
- Do not trust the sender’s display name. Here it read “Account Support”, but the real address was a throwaway Gmail, not a Google domain. (The name was even built built from Cyrillic look-alike letters that are hard to distinguish visually — which is the point: a display name can say anything, so check the actual address.)
- It manufactures fear and urgency — a countdown (“24 hours, no recovery”) designed to make you act before you think.
- It is impersonal — no name, no genuine account details.
How to protect yourself:
- Treat any “your account will be deleted” email as a scam until proven otherwise. Never click the link — instead, go to the service directly by typing its address yourself.
- Move high-risk accounts to a passkey or hardware security key (FIDO2) as the only method of 2FA. This is the most effective defense against this class of credential-relay attack.
- If you suspect you entered credentials, from a different trusted device change your password, sign out of all sessions, and review devices, forwarding rules, filters, and app passwords. Immediately notify your colleagues and people who help you with cybersecurity.
- High-risk users should enroll in Google’s Advanced Protection Program, which requires a passkey or security key and is designed for users facing targeted phishing.
Bottom line. There was no attachment or malware payload here. The attack was the link itself. The goal was account takeover, not device infection. Refusing to follow the link breaks the attack.
Why this matters for the sector
This was not a crude scam. The email was sent through a real Gmail account and passed standard authentication checks, the fake page closely copied Google’s sign-in flow, and the kit bypassed some 2FA methods by relaying it live. The practical takeaway is simple: SMS codes and authenticator-app codes are not enough for high-risk users. Move leadership and at-risk staff to passkeys or hardware security keys.
Please send similar suspicious emails or other suspected phishing attempts to RESIDENT.NGO at [email protected] ideally as screenshots and .eml files. If you clicked links in a similar email, contact your cybersecurity team as soon as possible.
Technical brief (for analysts and technical readers)
In one paragraph: the email link points at a compromised Ukrainian e-shop (`elki-lux.com.ua`, an OpenCart store with a PHP redirector dropped in its admin path) that throws an automatic HTTP 302 onto a closely mimicked Google sign-in styling clone served from behind BunnyCDN. The clone streams every field the victim types over a WebSocket (`wss://account-emails-verification.cc.cd/ws`) to an AiTM backend that uses them to log in to the real account in real time. The CDN was meant to hide the backend, but we pivoted on the TLS certificate names in Censys.io and pulled the true origin out: `45.194.44.44` (Datagear LLP, AS200758, Warsaw/PL), confirmed by a direct TLS handshake returning `CN=account.check-profile.digital` and exposing the WS backend ports (3001/3002). The kit showed no CAPTCHA and made no attempt to cloak, fingerprint, or hide from analysis — it served its payload to us as readily as to a victim.
Attack type: AiTM real-time credential + OTP relay leading to Google account takeover.
Targeting: real recipient hidden in Bcc (`To: undisclosed-recipients`), so recipient count is unknown; the actual target is a senior Belarusian opposition figure, consistent with UNC1151 victimology. The template contains Polish-locale leftovers (`lang=pl`, `loc=PL&hl=pl`, `”Wypróbuj inny sposób”`).
Attribution
Google Threat Intelligence matched `check-profile[.]digital` to UNC1151. That association appeared in GTI on 2026-05-19, 10 days before this analysis. The domain was registered on 2026-05-18, 11 days before the email observed here on 2026-05-29. *(Attribution rests on the Google Threat Intelligence domain match; the technical evidence is consistent with UNC1151 but does not independently prove the actor.)*
Sender (passed authentication legitimately): sent from a real Gmail account, so SPF/DKIM/DMARC all pass — no domain spoofing. Display name `Асcount Supрort` uses Cyrillic homoglyphs. Recipient was in Bcc (redacted).
Kill chain (server-side 302 → clone → WebSocket exfil):
Redirector: legitimate Ukrainian e-shop “ЯЛИНКИ-ЛЮКС” on OpenCart, compromised; PHP redirector dropped in the admin path. The shop owner is also a victim. `nginx/1.12.2`, `PHP/5.6.32`, FreeHost.UA (`185[.]13[.]5[.]49`, AS42331).
Landing: pixel-perfect Google verification clone, Russian render locale, original `jsaction` attributes copied. Fronted by BunnyCDN (pull-zone `5900791`), origin hidden.
Kit: inline JS class `SimpleGoogleLogin`, `const VPS_WS_URL = “wss://account-emails-verification[.]cc[.]cd/ws”`. Captured fields: `email, password, captchaKey, verificationCode (2FA), userId, operationId, proxy`. The `proxy` field suggests the backend can log in from the victim’s geography. Flow: email → password → 2FA code.
Live WS capture (read-only, client_info only): server replied `{“type”:”status”,”userId”:”8b879574464b4844″,”status”:”waiting”}.
Origin deanonymization (Censys.io pivot on `host.services.cert.names`):
BunnyCDN-hidden origin found at `45[.]194[.]44[.]44` — Datagear LLP, AS200758, Warsaw/PL, Ubuntu 22.04 (OpenSSH 8.9p1) + Nginx 1.18.0. Confirmed by direct TLS handshake: cert `CN=account[.]check-profile[.]digital`.
Ports: `22` (SSH), `443` (landing origin), `3001` (`426 Upgrade Required` — likely WS backend), `3002` (body `”VPS2 endpoint only for WebSocket”`).
Hosting & design: the origin IP block (DATAGEAR LLP, `45.194.44.0/24`) is registered to a UK LLP.
Indicators of Compromise
| Type | Indicator |
| Sender | email[.]profile[.]team@gmail[.]com · display «Асcount Supрort» (homoglyphs) · decoy leftover ramotowski09@gmail[.]com (kit template artifact) |
| Domain | check-profile[.]digital · account[.]check-profile[.]digital (landing) |
| Domain (C2) | account-emails-verification[.]cc[.]cd |
| Domain | elki-lux[.]com[.]ua (hacked redirector) |
| URL | hxxps://elki-lux[.]com[.]ua/admin/model/localisation/general-header.php |
| URL | hxxps://account[.]check-profile[.]digital/Verify |
| WS C2 | wss://account-emails-verification[.]cc[.]cd/ws |
| IP (origin) | 45[.]194[.]44[.]44 — Datagear LLP, AS200758, Warsaw/PL |
| IP (redirector) | 185[.]13[.]5[.]49 — FreeHost.UA, AS42331, UA |
| IP (CDN edge) | 169[.]150[.]202[.]210 (landing) · 185[.]111[.]111[.]155/156/157 (WS C2) — BunnyCDN, shared, not unique IOCs |
| TLS | wildcard *[.]check-profile[.]digital, issued 2026-05-18 (registration day) |
| Origin cert FP | 4b80681cd444cf9679d7e4d715489f6ddbe4580a9d110bd1952e54e8193afefd (45[.]194[.]44[.]44:443) |
| SSH host key | 62f47fd11a946c02658e8ba0874b35d8b2f233c89c952020ccce2431084958f0 |
| Kit marker | JS class SimpleGoogleLogin · const VPS_WS_URL · operator body “VPS2 endpoint only for WebSocket” |
| Kit locale | lang=pl, loc=PL&hl=pl, “Wypróbuj inny sposób” |
| BunnyCDN | pull-zones 5900791 (landing), 5876983 (WS C2) |
| Attachments | none (link-only attack) |