Dangerous actors are leveraging browser notifications as a vector for phishing assaults to distribute malicious hyperlinks by the use of a brand new command-and-control (C2) platform known as Matrix Push C2.
“This browser-native, fileless framework leverages push notifications, pretend alerts, and hyperlink redirects to focus on victims throughout working techniques,” Blackfog researcher Brenda Robb mentioned in a Thursday report.
In these assaults, potential targets are tricked into permitting browser notifications via social engineering on malicious or legitimate-but-compromised web sites.
As soon as a person agrees to obtain notifications from the positioning, the attackers benefit from the net push notification mechanism constructed into the online browser to ship alerts that seem like they’ve been despatched by the working system or the browser itself, leveraging trusted branding, acquainted logos, and convincing language to keep up the ruse.
These embody alerts about, say, suspicious logins or browser updates, together with a useful “Confirm” or “Replace” button that, when clicked, takes the sufferer to a bogus website.
What makes this a intelligent approach is that all the course of takes place via the browser with out the necessity for first infecting the sufferer’s system via another means. In a method, the assault is like ClickFix in that customers are lured into following sure directions to compromise their very own techniques, thereby successfully bypassing conventional safety controls.
That is not all. For the reason that assault performs out by way of the online browser, it is also a cross-platform risk. This primarily turns any browser software on any platform that subscribes to the malicious notifications to be enlisted to the pool of shoppers, giving adversaries a persistent communication channel.
Matrix Push C2 is obtainable as a malware-as-a-service (MaaS) package to different risk actors. It is offered immediately via crimeware channels, sometimes by way of Telegram and cybercrime boards, below a tiered subscription mannequin: about $150 for one month, $405 for 3 months, $765 for six months, and $1,500 for a full yr.
“Funds are accepted in cryptocurrency, and consumers talk immediately with the operator for entry,” Dr. Darren Williams, founder and CEO of BlackFog, advised The Hacker Information. “Matrix Push was first noticed at the start of October and has been energetic since then. There is no proof of older variations, earlier branding, or long-standing infrastructure. Every little thing signifies it is a newly launched package.”
The device is accessible as a web-based dashboard, permitting customers to ship notifications, monitor every sufferer in real-time, decide which notifications the victims interacted with, create shortened hyperlinks utilizing a built-in URL shortening service, and even file put in browser extensions, together with cryptocurrency wallets.
“The core of the assault is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximise the credibility of its pretend messages,” Robb defined. “Attackers can simply theme their phishing notifications and touchdown pages to impersonate well-known corporations and companies.”
Among the supported notification verification templates are related to well-known manufacturers like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The platform additionally consists of an “Analytics & Reviews” part that permits its prospects to measure the effectiveness of their campaigns and refine them as required.
“Matrix Push C2 reveals us a shift in how attackers acquire preliminary entry and try to use customers,” BlackFog mentioned. “As soon as a person’s endpoint (pc or cellular gadget) is below this type of affect, the attacker can progressively escalate the assault.”
“They could ship further phishing messages to steal credentials, trick the person into putting in a extra persistent malware, and even leverage browser exploits to get deeper management of the system. Finally, the tip objective is usually to steal knowledge or monetize the entry, for instance, by draining cryptocurrency wallets or exfiltrating private info.”
Assaults Misusing Velociraptor on the Rise
The event comes as Huntress mentioned it noticed a “vital uptick” in assaults weaponizing the reputable Velociraptor digital forensics and incident response (DFIR) device over the previous three months.
On November 12, 2025, the cybersecurity vendor mentioned risk actors deployed Velociraptor after acquiring preliminary entry via exploitation of a flaw in Home windows Server Replace Providers (CVE-2025-59287, CVSS rating: 9.8), which was patched by Microsoft late final month.
Subsequently, the attackers are mentioned to have launched discovery queries with the objective of conducting reconnaissance and gathering particulars about customers, working companies, and configurations. The assault was contained earlier than it might progress additional, Huntress added.
The invention reveals that risk actors should not simply utilizing customized C2 frameworks, however are additionally using available offensive cybersecurity and incident response instruments to their benefit.
“We have seen risk actors use reputable instruments lengthy sufficient to know that Velociraptor will not be the primary dual-use, open-source device that can pop up in assaults – nor will or not it’s the final,” Huntress researchers mentioned.
