Dangerous actors are leveraging browser notifications as a vector for phishing assaults to distribute malicious hyperlinks by the use of a brand new command-and-control (C2) platform known as Matrix Push C2.
“This browser-native, fileless framework leverages push notifications, pretend alerts, and hyperlink redirects to focus on victims throughout working programs,” Blackfog researcher Brenda Robb stated in a Thursday report.
In these assaults, potential targets are tricked into permitting browser notifications by social engineering on malicious or legitimate-but-compromised web sites.
As soon as a consumer agrees to obtain notifications from the positioning, the attackers reap the benefits of the internet push notification mechanism constructed into the online browser to ship alerts that seem like they’ve been despatched by the working system or the browser itself, leveraging trusted branding, acquainted logos, and convincing language to keep up the ruse.
These embody alerts about, say, suspicious logins or browser updates, together with a useful “Confirm” or “Replace” button that, when clicked, takes the sufferer to a bogus website.
What makes this a intelligent method is that all the course of takes place by the browser with out the necessity for first infecting the sufferer’s system by another means. In a method, the assault is like ClickFix in that customers are lured into following sure directions to compromise their very own programs, thereby successfully bypassing conventional safety controls.
That is not all. For the reason that assault performs out by way of the online browser, it is also a cross-platform menace. This successfully turns any browser utility on any platform that subscribes to the malicious notifications to be enlisted to the pool of shoppers, giving adversaries a persistent communication channel.
Matrix Push C2 is obtainable as a malware-as-a-service (MaaS) equipment to different menace actors. It is offered straight by crimeware channels, usually by way of Telegram and cybercrime boards, below a tiered subscription mannequin: about $150 for one month, $405 for 3 months, $765 for six months, and $1,500 for a full yr.
“Funds are accepted in cryptocurrency, and consumers talk straight with the operator for entry,” Dr. Darren Williams, founder and CEO of BlackFog, informed The Hacker Information. “Matrix Push was first noticed in the beginning of October and has been energetic since then. There isn’t any proof of older variations, earlier branding, or long-standing infrastructure. Every little thing signifies this can be a newly launched equipment.”
The device is accessible as a web-based dashboard, permitting customers to ship notifications, observe every sufferer in real-time, decide which notifications the victims interacted with, create shortened hyperlinks utilizing a built-in URL shortening service, and even report put in browser extensions, together with cryptocurrency wallets.
“The core of the assault is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximise the credibility of its pretend messages,” Robb defined. “Attackers can simply theme their phishing notifications and touchdown pages to impersonate well-known firms and companies.”
A number of the supported notification verification templates are related to well-known manufacturers like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The platform additionally consists of an “Analytics & Reviews” part that permits its prospects to measure the effectiveness of their campaigns and refine them as required.
“Matrix Push C2 exhibits us a shift in how attackers acquire preliminary entry and try to use customers,” BlackFog stated. “As soon as a consumer’s endpoint (laptop or cellular machine) is below this sort of affect, the attacker can regularly escalate the assault.”
“They may ship extra phishing messages to steal credentials, trick the consumer into putting in a extra persistent malware, and even leverage browser exploits to get deeper management of the system. Finally, the top objective is usually to steal knowledge or monetize the entry, for instance, by draining cryptocurrency wallets or exfiltrating private data.”
Assaults Misusing Velociraptor on the Rise
The event comes as Huntress stated it noticed a “important uptick” in assaults weaponizing the respectable Velociraptor digital forensics and incident response (DFIR) device over the previous three months.
On November 12, 2025, the cybersecurity vendor stated menace actors deployed Velociraptor after acquiring preliminary entry by exploitation of a flaw in Home windows Server Replace Companies (CVE-2025-59287, CVSS rating: 9.8), which was patched by Microsoft late final month.
Subsequently, the attackers are stated to have launched discovery queries with the objective of conducting reconnaissance and gathering particulars about customers, operating companies, and configurations. The assault was contained earlier than it might progress additional, Huntress added.
The invention exhibits that menace actors will not be simply utilizing customized C2 frameworks, however are additionally using available offensive cybersecurity and incident response instruments to their benefit.
“We have seen menace actors use respectable instruments lengthy sufficient to know that Velociraptor will not be the primary dual-use, open-source device that can pop up in assaults – nor will it’s the final,” Huntress researchers stated.
