Matrix Push C2: New Subscription Service Fuels Fileless Browser Push Notification Phishing

A new scheme for distributing malicious links through browser push notifications is rapidly gaining traction and drawing the attention of security specialists. It is built upon the Matrix Push C2 platform, designed to covertly control compromised browsers and deliver phishing messages without requiring the installation of malicious files.

According to researchers at BlackFog, the method hinges on persuading the victim to grant notification permissions to a spoofed website. To achieve this, attackers employ deceptive prompts embedded in infected or compromised sites. Once permission is granted, the adversaries begin sending web-push messages crafted to resemble legitimate system alerts or native browser warnings.

The attackers style these notifications to appear familiar, using the logos and visual language of well-known services. The messages typically include buttons such as “Verify” or “Update,” which redirect the user to fraudulent pages.

The defining feature of this operation is that the entire attack unfolds within the browser, without downloading any executable malware. This makes the technique fileless and equally dangerous across operating systems. Any browser subscribed to such notifications becomes part of a network through which attackers can maintain persistence and escalate their intrusion.

Matrix Push C2 is marketed as a service and sold through criminal channels, including Telegram. Offered on a subscription basis, it provides a web dashboard that enables the distribution of notifications, tracks victim interactions, generates shortened links, and logs installed extensions — including cryptocurrency wallets.

Brenda Robb of BlackFog notes that the platform includes prebuilt templates designed to mimic the interfaces of prominent services. Examples include variants styled after MetaMask, Netflix, Cloudflare, PayPal, and TikTok. A dedicated dashboard section allows attackers to measure the effectiveness of their campaigns and refine them.

Dr. Darren Williams of BlackFog reports that the service emerged only in early October, with no traces of earlier versions — a sign of its recent introduction. The report warns that once attackers gain control over a browser, they can escalate their efforts, ranging from credential theft to coercing the user into installing persistent malware. The ultimate goal is typically access to data or financial gain, such as draining cryptocurrency wallets or stealing sensitive personal information.

Matrix Push C2 illustrates a shift in initial-compromise tactics: social engineering now takes precedence, and the browser has become a universal conduit for intrusion and expanded control.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy