--- title: "Augusta City’s Cyberattack: BlackByte’s Claim, Portuguese Banks’ Cyberattack, RomCom Malware Spreads – Cybersecurity News | Phish Protection" description: "Augusta City’s Cyberattack: BlackByte’s Claim, Portuguese Banks’ Cyberattack, RomCom Malware Spreads – Cybersecurity News: Here is." image: "https://phishprotection.com/og/blog/cybersecurity-updates-for-the-week-23-of-2023.png" canonical: "https://phishprotection.com/blog/cybersecurity-updates-for-the-week-23-of-2023/" --- Quick Answer Here is the weekly cybersecurity bulletin highlighting the latest developments in phishing protection. Augusta, Georgia, has fallen victim to a cyberattack that resulted in the city’s IT system outage. The unauthorized access to Augusta’s governance network caused disruptions and technical difficulties starting on May 21. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-23-of-2023%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Augusta%20City%26%238217%3Bs%20Cyberattack%3A%20BlackByte%26%238217%3Bs%20Claim%2C%20Portuguese%20Banks%26%238217%3B%20Cyberattack%2C%20RomCom%20Malware%20Spreads%20%26%238211%3B%20Cybersecurity%20News&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-23-of-2023%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-23-of-2023%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-23-of-2023%2F&title=Augusta%20City%26%238217%3Bs%20Cyberattack%3A%20BlackByte%26%238217%3Bs%20Claim%2C%20Portuguese%20Banks%26%238217%3B%20Cyberattack%2C%20RomCom%20Malware%20Spreads%20%26%238211%3B%20Cybersecurity%20News "Share on Reddit") [ ](mailto:?subject=Augusta%20City%26%238217%3Bs%20Cyberattack%3A%20BlackByte%26%238217%3Bs%20Claim%2C%20Portuguese%20Banks%26%238217%3B%20Cyberattack%2C%20RomCom%20Malware%20Spreads%20%26%238211%3B%20Cybersecurity%20News&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybersecurity-updates-for-the-week-23-of-2023%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/06/what-is-phishing-8104.jpg) Here is the weekly [cybersecurity](/content/cybersecurity-in-a-nutshell) bulletin highlighting the **latest developments** in [phishing protection](/). ### The City of Augusta Cyberattack Claimed by BlackByte Ransomware Gang Augusta, Georgia, has fallen victim to a cyberattack that resulted in the city’s **IT system outage**. The unauthorized access to Augusta’s **governance network** caused disruptions and technical difficulties starting on May 21\. While city officials did not disclose the exact nature of the attack, the BlackByte ransomware gang[claimed responsibility](https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-claims-city-of-augusta-cyberattack/)and identified Augusta as one of its targets. As Georgia’s second-largest city with a population exceeding[611,000](https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-claims-city-of-augusta-cyberattack/), Augusta is now [working](https://www.augustaga.gov/CivicAlerts.aspx?AID=3122) to investigate the incident’s full impact and **restore the affected systems** promptly. Augusta’s Information Technology Department is **diligently examining** the incident to assess the extent of the systems’ damage and restore full functionality. ![What is phishing](https://media.mailhop.org/phishprotection/images/2023/06/what-is-phishing-8104.jpg) ### Cyberattack on 30 Portuguese Banks’ Credentials Linked to ‘Operation Magalenha’ > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle A group of [threat actors](/phishing-awareness/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails) from Brazil has been attacking thirty Portuguese government and private **financial organizations** since 2021\. The malicious campaign, known as ‘Operation Magalenha,’ was exposed by a [report](https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/) from Sentinel Labs. The malicious actors initiated the attack by sending **phishing emails** pretending to be from Portuguese organizations like EDP (Energias de Portugal) and the AT (Tax and Customs Authority). They also created **fake websites** to trick victims. Once infected, the threat actors gain control over the victims’ systems using [malware](/content/protection-against-malware/types-of-malware) called ‘PeepingTitle,’ which allows them to **monitor** the victims’ activities, steal their credentials, and collect sensitive information. Malicious actors have shown adaptability by switching tactics and using different [cloud service providers](https://www.securitymagazine.com/articles/99452-57-of-financial-organizations-use-multiple-cloud-service-providers) to **avoid detection**. This new campaign is no exception. ### Malicious RomCom Malware Spreads via Google Ads and Trojanized ChatGPT, GIMP, and More A new campaign involving the RomCom malware has been discovered wherein the malicious attackers use **fictitious websites** to deceive users into downloading and launching malicious installers . Trend Micro has been monitoring RomCom since the summer of 2022 and declared that the threat actors behind the malware have increased their [evasion techniques](https://www.libraesva.com/what-is-an-evasion-technique/) by **encrypting** and obfuscating payloads. With new and powerful commands to expand the malware’s capabilities, the adversaries use malicious websites in the campaign to **imitate** popular software applications such as GIMP, [ChatGPT](/phishing-awareness/the-power-of-chatgpt-how-chatgpt-is-changing-the-phishing-game), WinDirStat, and more. These fake websites are promoted through **Google advertisements** and targeted phishing emails and come with a malware payload, which can execute various commands. \_It enables the attackers to drop files, **exfiltrate data**, set up proxies, and install additional malware. \_ Trend Micro has [shared](https://www.trendmicro.com/en%5Fus/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html) the **severity** of the novel threat and provided IoCs (Indicators of Compromise) you can use to defend against RomCom attacks. ### Spyware Apps on Google Play Installed Over 421 Million Times A recently discovered Android malware, known as ‘**SpinOk**,’ has been found in multiple apps, some of which were previously available on Google Play and had a combined total of over 421 million downloads . The spyware module, [identified](https://news.drweb.com/show/?i=14705&lng=en) by security researchers at Dr. Web, is designed to engage users with **mini-games** **and rewards** while secretly stealing and transmitting their private data to a remote server. To evade detection, the malware checks for **sandboxed environments** commonly used by researchers. Once installed, it downloads **a list of URLs** for displaying the expected mini-games. The capabilities of this malware include listing and accessing files, uploading files from the device, and modifying the clipboard to **steal sensitive information** like passwords, credit card data, and cryptocurrency payments. Google removed most of such [malicious apps](https://thehackernews.com/2023/05/google-blocks-143-million-malicious.html) from the Play Store. Still, users are advised to **update or uninstall** any potentially compromised applications and scan their devices with mobile antivirus tools . ### New Hacking Forum Leaks Data of 478,000 RaidForums Members The **online database** of the notorious malicious forum RaidForums has been leaked, providing insights into its users. _[RaidForums](https://www.bleepingcomputer.com/news/security/dutch-police-mails-raidforums-members-to-warn-theyre-being-watched/) was a **malicious portal** popular among malicious actors for hosting, selling, and leaking data stolen from breached organizations._ Threat actors who frequented the forum obtained customer data through website hacking or accessing exposed database servers, which they sold or spread for reputation-building. After law enforcement[seized](https://www.bleepingcomputer.com/news/security/raidforums-hacking-forum-seized-by-police-owner-arrested/) RaidForums, users migrated to[Breached](https://www.bleepingcomputer.com/news/security/new-hacking-forum-leaks-data-of-478-000-raidforums-members/), but it was shut down following the **arrest of its founder**. A new forum called Exposed emerged as a replacement. Recently, an admin nicknamed ‘Impotent’ leaked the RaidForums member database, containing **registration details** of \[478 ,870\]() users, including usernames, email addresses, hashed passwords, and registration dates. Law enforcement likely already has the data, but the leak could be **valuable** for security researchers to profile malicious actors. ![What is phishing](https://media.mailhop.org/phishprotection/images/2023/06/what-is-phishing-8015.jpg) ### Lazarus Threat Actors Target Windows IIS Web Servers for Initial Access The Lazarus Group, a well-known **North Korean** state-backed [hacking group](https://www.bankinfosecurity.com/hacking-group-seen-mixing-cybercrime-cyberespionage-a-22257), has shifted its focus to target vulnerable Windows IIS (Internet Information Services) **web servers** to gain initial access to corporate networks. The Lazarus Group is primarily motivated by **financial gain**, with some experts believing that their activities help fund North Korea’s weapons development programs. The new tactic was[discovered](https://asec.ahnlab.com/en/53132/)by ASEC’s (AhnLab Security Emergency response Center) South Korean researchers. Lazarus employs various techniques, including **exploiting vulnerabilities** and misconfigurations to create files on servers. They use legitimate files, such as ‘Wordconv.exe,’ to place [malicious codes](https://www.cbc.ca/news/canada/toronto/malicious-code-lcbo-1.6711953) like ‘msvcr100.dll’, evading antivirus detection. ASEC recommends monitoring for **abnormal process execution** to detect and prevent Lazarus Group activities. ### Protect Your Organization - [Learn how phishing attacks work and how to spot them](/learn-what-is-phishing/) - [See how Phish Protection blocks threats in real time](/anti-phishing-tools/) ## Topics [ Announcements ](/tags/announcements/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 5m Cybersecurity Updates For The Week 33 of 2022 Aug 22, 2022 ](/blog/cyber-security-news-update-week-33-2022/)[ Intermediate 6m Cybersecurity Updates For The Week 41 of 2022 Oct 21, 2022 ](/blog/cybersecurity-news-21-oct-2022/)[ Intermediate 5m Cybersecurity Updates For The Week 1 of 2021 Jan 1, 2021 ](/blog/cybersecurity-updates-for-the-week-1-of-2021/)[ Intermediate 6m Cybersecurity Updates For The Week 1 of 2022 Jan 7, 2022 ](/blog/cybersecurity-updates-for-the-week-1-of-2022/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Augusta City’s Cyberattack: BlackByte’s Claim, Portuguese Banks’ Cyberattack, RomCom Malware Spreads – Cybersecurity News","description":"Augusta City’s Cyberattack: BlackByte’s Claim, Portuguese Banks’ Cyberattack, RomCom Malware Spreads – Cybersecurity News: Here is.","url":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-23-of-2023/","datePublished":"2023-06-05T05:10:19.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-06-05T05:10:19.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-23-of-2023/"},"articleSection":"intermediate","keywords":"Announcements","wordCount":897,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/06/what-is-phishing-8104.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Augusta City’s Cyberattack: BlackByte’s Claim, Portuguese Banks’ Cyberattack, RomCom Malware Spreads – Cybersecurity News","item":"https://phishprotection.com/blog/cybersecurity-updates-for-the-week-23-of-2023/"}]} ```