Back

Belarusian Hackers Target Yury Hubarevich with Sophisticated Phishing Attack

Severity: High (Score: 77.0)

Sources: resident.ngo, Reform.News

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: phishing, account, belarus, target, google, yury, hubarevich

Summary

On May 29, 2026, Yury Hubarevich, a prominent Belarusian politician, was targeted in a phishing attack linked to the Belarusian espionage group UNC1151. The attack involved an email disguised as a Google notification, claiming suspicious activity on his account and threatening deletion unless verified. Hubarevich recognized the phishing attempt and reported it to cybersecurity experts at RESIDENT.NGO. The phishing method utilized a compromised third-party website that redirected victims to a fake Google login page, capturing usernames, passwords, and real-time 2FA codes. Google Threat Intelligence confirmed the phishing domain's association with UNC1151, known for targeting opposition figures in Belarus and surrounding regions. The email passed standard authentication checks, making it a sophisticated attack. Hubarevich's account was not compromised due to his awareness of the threat. Experts recommend using FIDO2 security keys or passkeys to mitigate such phishing risks. Key Points: • Yury Hubarevich was targeted in a sophisticated phishing attack linked to UNC1151. • The phishing email claimed account deletion unless verification was completed, exploiting urgency. • Real-time interception of 2FA codes makes traditional SMS and authenticator methods insufficient.

Detailed Analysis

**Impact** The targeted individual was Yury Hubarevich, a senior Belarusian political figure involved in opposition activities. The attack aimed to compromise his Google account, potentially exposing sensitive communications and access to digital resources linked to Belarusian democratic movements. No account compromise was confirmed, and the attack did not involve malware or broader infection. The incident reflects ongoing espionage efforts against Belarusian opposition and civil society actors. **Technical Details** The attack used an adversary-in-the-middle (AiTM) phishing technique involving a phishing email sent from a legitimate Gmail account with a spoofed sender name using Cyrillic characters. The email contained a link redirecting through a compromised Ukrainian e-commerce site (`elki-lux.com.ua`) to a fake Google sign-in page hosted behind BunnyCDN, which streamed entered credentials and one-time 2FA codes in real time to the attacker’s backend infrastructure at IP `45.194.44.44` (Datagear LLP, Warsaw). The phishing domain `check-profile.digital` was attributed to UNC1151, a Belarus-linked espionage cluster associated with Ghostwriter activity. The attack bypassed SMS and authenticator-app 2FA but not FIDO2 or passkey-based methods. **Recommended Response** At-risk users should transition from SMS and authenticator-app 2FA to phishing-resistant methods such as FIDO2 hardware security keys or passkeys. Security teams should block and monitor the identified infrastructure, including the domain `check-profile.digital`, IP `45.194.44.44`, and the compromised redirect site `elki-lux.com.ua`. Users must be trained to recognize phishing emails, especially those with suspicious sender names using homoglyphs. Suspicious emails should be reported to RESIDENT.NGO for further analysis.

Source articles (2)

  • Hackers Linked to Belarus Target Google Account of Yury Hubarevich — Reform.News · 2026-06-05
    Belarusian politician Yury Hubarevich , coordinator of the Personnel Reserve initiative, head of the For Freedom movement and a member of the Coordination Council of Belarus, became the target of a ph…
  • Targeted Gmail Phishing Suspicious Account Activity From Unc1151 Ghostwriter May 2026 — resident.ngo · 2026-06-05
    Prepared by: RESIDENT.NGO ThreatLab Incident Date: May 29, 2026 Publication Date: June 4, 2026 Verdict: Adversary-in-the-Middle (AiTM) phishing that steals Google usernames, passwords, and one-time 2F…

Timeline

  • 2026-05-29 — Yury Hubarevich targeted in phishing attack: Hubarevich received a phishing email disguised as a Google notification about suspicious account activity.
  • 2026-05-29 — Phishing email reported to cybersecurity experts: Hubarevich forwarded the suspicious email to RESIDENT.NGO, prompting an investigation.
  • 2026-06-04 — Incident analysis published by RESIDENT.NGO: The analysis confirmed the phishing method and linked the attack to UNC1151, detailing the real-time interception technique.

Related entities

  • Ghostwriter (Campaign)
  • Ghostwriter Operations (Campaign)
  • Unc1151 (Apt Group)
  • Phishing (Attack Type)
  • Belarus (Country)
  • Germany (Country)
  • Poland (Country)
  • Ukraine (Country)
  • account-emails-verification.cc.cd (Domain)
  • censys.io (Domain)
  • elki-lux.com.ua (Domain)
  • freehost.ua (Domain)
  • 45.194.44.0 (Ipv4)
  • 45.194.44.44 (Ipv4)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • Gmail (Tool)
  • Nginx (Tool)
  • BunnyCDN (Tool)
  • Google (Company)
  • OpenCart (Platform)
  • PHP (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed