A new command-and-control (C2) platform called Matrix Push C2 is being used by bad actors to distribute malicious links through browser notifications. This fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems.
To spread the attacks, attackers trick users into allowing browser notifications on malicious or legitimate-but-compromised websites through social engineering tactics. Once a user agrees, attackers send alerts that look like they come from the operating system or browser itself, using trusted branding and language to maintain credibility.
This technique is clever because it bypasses traditional security controls by having the victim compromise their own system. The entire process takes place in the browser, making it a cross-platform threat that can affect any browser application on any platform subscribed to the malicious notifications.
Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, with prices starting at $150 for one month and up to $1,500 for a year. The tool allows users to send notifications, track victims in real-time, create shortened links, and record installed browser extensions.
The core of the attack relies on social engineering and configurable templates that maximize the credibility of fake messages. Attackers can theme their phishing notifications and landing pages to impersonate well-known companies and services.
This new threat highlights a shift in how attackers gain initial access and exploit users. Once a user’s endpoint is compromised, attackers can escalate the attack by delivering additional phishing messages or leveraging browser exploits for deeper control. The end goal often involves stealing data or monetizing access, such as draining cryptocurrency wallets or exfiltrating personal information.
Meanwhile, Huntress has observed a significant uptick in attacks using the legitimate Velociraptor digital forensics and incident response tool over the past three months. Threat actors deployed Velociraptor after exploiting a flaw in Windows Server Update Services (CVE-2025-59287).
Source: https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html