Dangerous actors are leveraging browser notifications as a vector for phishing assaults to distribute malicious hyperlinks via a brand new command-and-control (C2) platform referred to as Matrix Push C2.
“This browser-native, fileless framework leverages push notifications, pretend alerts, and hyperlink redirects to focus on victims throughout working methods,” Blackfog researcher Brenda Robb stated in a Thursday report.
In these assaults, potential targets are tricked into permitting browser notifications by social engineering on malicious or legitimate-but-compromised web sites.
As soon as a person agrees to obtain notifications from the positioning, the attackers make the most of the online push notification mechanism constructed into the online browser to ship alerts that appear to be they’ve been despatched by the working system or the browser itself, leveraging trusted branding, acquainted logos, and convincing language to take care of the ruse.
These embody alerts about, say, suspicious logins or browser updates, together with a helpful “Confirm” or “Replace” button that, when clicked, takes the sufferer to a bogus web site.
What makes this a intelligent approach is that your entire course of takes place by the browser with out the necessity for first infecting the sufferer’s system by another means. In a method, the assault is like ClickFix in that customers are lured into following sure directions to compromise their very own methods, thereby successfully bypassing conventional safety controls.
That is not all. For the reason that assault performs out through the online browser, it is also a cross-platform risk. This successfully turns any browser utility on any platform that subscribes to the malicious notifications to be enlisted to the pool of shoppers, giving adversaries a persistent communication channel.
Matrix Push C2 is obtainable as a malware-as-a-service (MaaS) package to different risk actors. It is offered instantly by crimeware channels, sometimes through Telegram and cybercrime boards, underneath a tiered subscription mannequin: about $150 for one month, $405 for 3 months, $765 for six months, and $1,500 for a full yr.
“Funds are accepted in cryptocurrency, and patrons talk instantly with the operator for entry,” Dr. Darren Williams, founder and CEO of BlackFog, advised The Hacker Information. “Matrix Push was first noticed firstly of October and has been energetic since then. There is not any proof of older variations, earlier branding, or long-standing infrastructure. All the pieces signifies it is a newly launched package.”
The software is accessible as a web-based dashboard, permitting customers to ship notifications, monitor every sufferer in real-time, decide which notifications the victims interacted with, create shortened hyperlinks utilizing a built-in URL shortening service, and even file put in browser extensions, together with cryptocurrency wallets.
“The core of the assault is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximise the credibility of its pretend messages,” Robb defined. “Attackers can simply theme their phishing notifications and touchdown pages to impersonate well-known firms and companies.”
A number of the supported notification verification templates are related to well-known manufacturers like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The platform additionally consists of an “Analytics & Reviews” part that permits its clients to measure the effectiveness of their campaigns and refine them as required.
“Matrix Push C2 exhibits us a shift in how attackers acquire preliminary entry and try to use customers,” BlackFog stated. “As soon as a person’s endpoint (laptop or cellular gadget) is underneath this sort of affect, the attacker can step by step escalate the assault.”
“They may ship extra phishing messages to steal credentials, trick the person into putting in a extra persistent malware, and even leverage browser exploits to get deeper management of the system. In the end, the tip aim is usually to steal information or monetize the entry, for instance, by draining cryptocurrency wallets or exfiltrating private info.”
Assaults Misusing Velociraptor on the Rise
The event comes as Huntress stated it noticed a “important uptick” in assaults weaponizing the official Velociraptor digital forensics and incident response (DFIR) software over the previous three months.
On November 12, 2025, the cybersecurity vendor stated risk actors deployed Velociraptor after acquiring preliminary entry by exploitation of a flaw in Home windows Server Replace Providers (CVE-2025-59287, CVSS rating: 9.8), which was patched by Microsoft late final month.
Subsequently, the attackers are stated to have launched discovery queries with the aim of conducting reconnaissance and gathering particulars about customers, operating companies, and configurations. The assault was contained earlier than it might progress additional, Huntress added.
The invention exhibits that risk actors aren’t simply utilizing customized C2 frameworks, however are additionally using available offensive cybersecurity and incident response instruments to their benefit.
“We have seen risk actors use official instruments lengthy sufficient to know that Velociraptor will not be the primary dual-use, open-source software that may pop up in assaults – nor will it’s the final,” Huntress researchers stated.
