Cybersecurity experts have uncovered a novel command‑and‑control (C2) platform that weaponizes web browser push notifications to launch fileless, cross‑platform phishing and malware attacks.
What happened
According to The Hacker News, attackers are now exploiting built‑in browser push notifications, the status alerts you sometimes allow from websites, as a covert delivery mechanism for phishing links and potentially malware. Instead of delivering traditional code‑based malware files, Matrix Push C2 operates entirely through browsers once the user consents to notifications.
Going deeper
Security researchers describe Matrix Push C2 as a command‑and‑control framework offered as malware‑as‑a‑service (MaaS). This model enables even less sophisticated criminals to launch tailored phishing campaigns by subscribing through cybercrime forums or encrypted chat channels.
In practice, these campaigns begin with social engineering. Threat actors lure victims to malicious or compromised websites that prompt them to click “Allow” on browser notification requests. Once permission is granted, attackers can push deceptive alerts that closely resemble legitimate system or service messages, such as warnings about suspicious logins or software updates. These notifications typically include clickable prompts that redirect users to phishing pages or other malicious destinations.
From its web‑based control dashboard, attackers can:
- Send tailored push notifications and monitor which victims interact with messages
- Use built‑in URL shortening to hide malicious links
- Track engagement metrics and refine phishing templates
- Identify installed browser extensions, including cryptocurrency wallets
The platform includes themes mimicking trusted brands and services like Netflix, PayPal, TikTok, MetaMask, and Cloudflare. This helps the attackers in enhancing the credibility of their social engineering schemes.
Why it matters
This campaign proves attackers are gaining initial access and controlling victims, not through malware dropped on disk, but through trusted browser features and social engineering. By bypassing traditional file‑based security controls, Matrix Push C2 evades endpoint detection systems and can persist as long as users continue to allow notifications. Furthermore, this tactic mirrors other phishing campaigns uncovered in 2025 that abuse trusted, legitimate platforms rather than relying on obvious malware. Recent incidents have shown attackers exploiting Google's email infrastructure to send convincing phishing messages for credential harvesting. Together, these campaigns show a growing shift toward weaponizing built-in browser and platform features to exploit user trust, making phishing attacks more difficult to detect and defend against.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Which browsers and operating systems are affected?
Any modern browser that supports push notifications can be affected, regardless of the operating system. This includes browsers on Windows, macOS, Linux, and potentially mobile devices.
What kind of information are attackers trying to steal?
The primary goal is credential theft, including login details for email accounts, cloud services, and cryptocurrency wallets. Stolen credentials can then be used for account takeovers or further attacks.
Can antivirus or email security tools stop this attack?
Traditional antivirus and email security tools may not detect these attacks because they don’t involve malicious email attachments or executable files.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene
