Cetus Protocol Breach, DragonForce Supply Attack, MATLAB Ransomware Disruption – Cybersecurity News [May 26, 2025]

We’re back with the week’s cybersecurity round-up of a mix of high-stakes breaches, targeted malware campaigns, and growing concerns around supply chain vulnerabilities. Each of these incidents highlights different tactics attackers are using to exploit trust, access, and visibility. Read on for all the details.

$223 Million Stolen in Cetus Protocol Crypto Breach

Hackers have stolen $223 million from Cetus Protocol, a decentralized exchange running on the Sui and Aptos blockchains. 

In response, the team has offered a whitehat deal, promising no legal action if the stolen funds are returned, and is also offering a $5 million bounty for information leading to the attacker’s arrest. The breach prompted Cetus Protocol to temporarily pause its smart contract functionality for the investigation. The team later confirmed the incident and reported that $162 million of the stolen funds were successfully frozen. Cetus Protocol uses a Concentrated Liquidity Market Maker model, allowing users to optimize trades within set price ranges.

Apparently, the attacker exploited a vulnerability in a software package, but no technical specifics were shared. The team did patch the issue and notified other developers to prevent further damage. They’ve also identified the hacker’s Ethereum wallet and are coordinating with law enforcement and third parties to track the stolen assets.

Cetus continues working to recover the remaining funds and urges anyone with relevant information to come forward. They advise users to stay cautious and watch for updates as investigations continue.

DragonForce Ransomware Exploits SimpleHelp in MSP Supply Chain Attack

The DragonForce ransomware group recently compromised a Managed Service Provider (MSP) by exploiting its use of the SimpleHelp remote management platform. 

The threat actors were able to breach customer systems, extract data, and deploy ransomware. Researchers at Sophos analyzed the breach and shared that the threat actors took advantage of unpatched vulnerabilities in SimpleHelp. They breached the environment and were able to steal device names, user details, configuration settings, and network data. The next phase of the attack included data exfiltration attempts and ransomware deployment across customer systems. Sophos’ endpoint protection stopped the operation on one network. Several other organizations, however, experienced data theft and encryption as part of a double-extortion strategy. You can find the Indicators of compromise (IOCs) in the report to help other security teams identify similar threats.

Organizations using remote monitoring and management (RMM) tools should apply security patches without delay. Closely monitoring system behavior will also go a long way.

MATLAB Developer Confirms Ransomware Behind Recent Service Disruption

This week, MathWorks confirmed that a ransomware attack is the cause of the ongoing service outage affecting several of its online platforms. 

The organization is known for its MATLAB and Simulink products used by millions worldwide. They disclosed the attack on the official status page, sharing that federal law enforcement has been notified, and the breach has disrupted key services such as the cloud center, file exchange, license center, and MathWorks store. 

Although some services have since been restored—including multi-factor authentication and Single Sign-On (SSO)—people are still facing issues. These include problems creating new accounts and login failures for those who haven’t signed in since 2024. The organization hasn’t released details about the ransomware group responsible or whether any data was compromised. Plus, no threat actor has claimed responsibility so far, raising questions about a possible ransom payment or ongoing negotiations. 

It’s best to monitor the official status page and ensure account security with updated credentials.

Adidas Alerts Users to Data Breach via Customer Service Vendor Hack

Adidas also confirmed a data breach linked to one of its customer service providers, stating that an unauthorized party accessed consumer data. 

They stressed that the breach did not involve any financial or password-related information, but the attackers did gain access to limited customer details, such as contact information, through the third-party provider. Once they found out, they quickly began an internal investigation and brought in cybersecurity experts. Adidas also informed relevant authorities and began notifying individuals whose data may have been exposed. 

The scope of the breach, such as how many people were affected or whether Adidas’s own systems were compromised, is not clear as Adidas has yet to disclose the service provider involved. 

At present, Adidas is continuing its investigation and advising impacted customers individually. Users are encouraged to stay alert for suspicious messages or activities and to contact Adidas support if they have concerns.

Malicious Zenmap and WinMRT Clones Target IT Teams with Bumblebee Malware

A new malware campaign involving the Bumblebee loader is targeting IT professionals by posing as trusted network tools. The attackers have expanded their strategy beyond RVTools, now using lookalike websites for other widely-used utilities like Zenmap and WinMTR to spread malware.

The malicious campaign leverages SEO poisoning to rank fake domains—zenmap[.]pro and winmtr[.]org—high on Google and Bing search results. These websites mimic legitimate tools used by IT staff to manage or diagnose network issues, many of which require admin access, making them high-value targets. When users land on zenmap[.]pro via search results, they’re shown a cloned version of the official Nmap site, prompting downloads like ‘zenmap-7.97.msi’ and ‘WinMTR.msi’.

These installers contain the actual tools but are bundled with a malicious DLL that drops the Bumblebee loader. Once installed, it can deploy further malware, such as info-stealers or ransomware. Additional fake installers have been linked to software like Hanwha’s WisenetViewer and Milestone XProtect, served through milestonesys[.]org, another spoofed domain. The legitimate RVTools sites remain offline after facing DDoS attacks.

Users are urged to download software only from verified sources and confirm file hashes before installation. This helps avoid falling victim to tampered installers designed to bypass antivirus detection.