- Malicious actors use browser notifications to conduct phishing attacks via the new Matrix Push C2 platform.
- The platform is sold as Malware-as-a-service with tiered pricing, accepting cryptocurrency payments.
- It provides real-time victim tracking, branded phishing templates, and analytics to optimize campaigns.
- Separately, attacks exploiting the legitimate Velociraptor tool have increased, using it for reconnaissance after gaining access through a Windows Server Update Services vulnerability.
A newly identified command-and-control (C2) platform named Matrix Push C2 has been found to exploit browser-native push notifications to carry out phishing attacks. Discovered in early October 2025, this fileless framework functions across operating systems by sending deceptive alerts that appear as legitimate system or browser notifications. Attackers persuade users to enable notifications on malicious or compromised websites, then use this access to deliver messages prompting victims to click links leading to fraudulent sites, according to a report by Blackfog.
The push notification system exploited here is built into modern web browsers, allowing attackers to mimic trusted brands with familiar logos and wording. Examples include alerts about suspicious logins or software updates, each containing interactive buttons like “Verify” or “Update” that redirect victims to phishing pages. This method bypasses traditional security controls by relying entirely on social engineering within the browser, avoiding the need to infect the victim’s device first.
Matrix Push C2 is marketed as malware-as-a-service, with monthly subscription pricing tiers of approximately $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year, payable via cryptocurrency. The service is accessed through a web-based dashboard that enables operators to send notifications, monitor victim interactions, shorten URLs, and collect data on installed browser extensions, including cryptocurrency wallets. It includes customizable templates themed around well-known brands such as MetaMask, Netflix, Cloudflare, Paypal, and TikTok to enhance credibility, as explained by Blackfog researcher Brenda Robb.
The campaign’s analytics tools allow the attackers to track user engagement and refine their phishing techniques. Following initial access, attackers can escalate their efforts by delivering further phishing attempts, tricking victims into installing persistent malware, or exploiting browser vulnerabilities to gain deeper control. The ultimate objectives often include stealing personal information or draining cryptocurrency wallets.
In a related development, Cybersecurity vendor Huntress reported a marked rise in the abuse of the legitimate digital forensics and incident response tool Velociraptor over the past three months. On November 12, 2025, threat actors exploited a critical Windows Server Update Services vulnerability (CVE-2025-59287, CVSS score 9.8) to deploy Velociraptor for conducting reconnaissance activities such as querying user details and system configurations. The attack was halted before progression, highlighting the trend of malicious use of open-source and commercially available offensive cybersecurity tools. More details about this are available via Huntress.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- North Korea Controls Up to 40% of Crypto Apps, Security Alarm
- ARK Invest Boosts Stakes in Bullish, BitMine, Circle, Robinhood, BTC ETFs
- Bitcoin Sentiment Hits Record Low, Tactical Price Bounce Expected
- Sovereign Bitcoin Adoption Could Spark $150K Surge: ProCap CIO
- Bitcoin Falls to Seven-Month Low Amid Perfect Storm of Factors
