Cybercriminals are using a new command-and-control (C2) platform dubbed ‘Matrix Push C2’ to deliver malware and phishing attacks through everyday web browser features, according to a report from cybersecurity firm BlackFrog.
The platform abuses legitimate browser push notification technology normally used for website updates or alerts to communicate directly with victims’ devices. Attackers first trick users into enabling notifications on malicious or compromised websites. Once approved, the browser effectively opens a persistent communication channel to the attacker, regardless of operating system.
Threat actors then send fake system alerts and error messages crafted to mimic trusted software or OS-level prompts. When victims click on the notifications, they are redirected to attacker-controlled pages hosting phishing schemes or malware downloads.
BlackFrog describes the scheme as a fileless attack, since it operates through the browser’s own notification system rather than relying on an initial malware payload. Criminals control the campaign through a web-based dashboard that displays infected clients in real time, scans for cryptocurrency wallets, and provides analytics to track the success of each lure.
Matrix Push C2 also includes social engineering templates and short-link generation tools designed to make malicious notifications appear legitimate and evade security filters.
To mitigate the risk, organizations are advised to deploy anti–data exfiltration (ADX) solutions focused on monitoring and blocking suspicious outbound traffic.