A newly discovered command-and-control (C2) platform, Matrix Push C2, is being leveraged by malicious actors to carry out phishing attacks using browser notifications. This technique tricks targets into allowing browser notifications via social engineering on compromised or malicious websites. Once permission is granted, the attackers use the web push mechanism to send alerts that mimic those from the operating system or the browser itself, using familiar logos and convincing language to maintain credibility. These alerts typically warn of things like suspicious logins or required browser updates, presenting a button that redirects the victim to a bogus site when clicked. This approach is highly effective because the entire attack chain unfolds within the browser, bypassing the need for initial system infection and thereby circumventing many traditional security controls.
What makes this method particularly powerful is its cross-platform nature, functioning on any system with a browser application that has subscribed to the malicious notifications. This establishes a persistent communication channel for adversaries. Furthermore, Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, available to other threat actors through crimeware channels like Telegram and cybercrime forums. It is sold via a tiered subscription model, with costs ranging from approximately $150 for one month up to $1,500 for a full year, with payments accepted in cryptocurrency. First observed at the beginning of October, the platform shows no evidence of older infrastructure, suggesting it is a newly launched, dedicated kit.
The tool provides users with a web-based dashboard for orchestrating attacks, enabling them to send notifications, monitor victims in real-time, track notification interactions, and even record installed browser extensions, including cryptocurrency wallets. The core of the platform relies heavily on social engineering, offering configurable templates to maximize the believability of its fake messages. Attackers can easily customize their phishing notifications and landing pages to impersonate well-known companies and services. Supported notification templates include those for brands like MetaMask, Netflix, Cloudflare, PayPal, and TikTok, enhancing the credibility of the ruse.
The developers of Matrix Push C2 note that it represents a shift in how attackers gain initial access to systems. Once a user’s device is compromised in this way, the attacker can gradually escalate the attack. This may involve delivering additional phishing messages to steal credentials, manipulating the user into installing more persistent malware, or exploiting browser vulnerabilities to gain deeper system control. The ultimate goal is often data theft and monetization, such as draining cryptocurrency wallets or exfiltrating personal information. This development coincides with reports of a significant increase in attacks weaponizing the legitimate digital forensics and incident response (DFIR) tool, Velociraptor.
In a related incident on November 12, 2025, a cybersecurity vendor observed threat actors deploying Velociraptor after exploiting a flaw in Windows Server Update Services (CVE-2025-59287). The attackers subsequently launched discovery queries to conduct reconnaissance and gather details about users and system configurations, though the attack was contained before further progression. This discovery underscores that threat actors are not only developing custom C2 frameworks but are also increasingly co-opting readily available, dual-use offensive cybersecurity and incident response tools for their malicious campaigns. Experts predict that Velociraptor is unlikely to be the last such open-source tool to be weaponized in this manner.
Reference:
