New Matrix Push C2 Abuses Push Notifications to Deliver Malware

At BlackFog, we recently uncovered a new command-and-control platform called Matrix Push C2 which cybercriminals are using to deliver malware and phishing attacks via web browser features. This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems.

It turns web browsers into an attack delivery vehicle: tricking users with fake system notifications, redirecting them to malicious sites, monitoring infected clients in real time, and even scanning for cryptocurrency wallets.

Below, we walk through Matrix Push C2’s key features, and how they enable cross-platform malware delivery and data theft, with screenshots from the C2 panel for illustration.

In a nutshell, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel.

Attackers first trick users into allowing browser notifications (often via social engineering on malicious or compromised websites), and then, once a user subscribes to the attacker’s notifications, the attacker gains a direct line to that user’s desktop or mobile device via the browser.

From that point on, the attacker can push out fake error messages or security alerts at will that look frighteningly real. These messages appear as if they are from the operating system or trusted software, complete with official-sounding titles and icons.

Once the user clicks on the fake notification, they are taken to a site chosen by the attacker, often a phishing page or a malware download. For instance, an alert might say “Update required! Please update Google Chrome to avoid data loss!” and the button would fetch a trojanized scanner from the attacker’s domain.

Because this whole interaction is happening through the browser’s notification system, no traditional malware file needs to be present on the system initially. It’s a fileless technique. The unsuspecting user simply sees what looks like a normal system pop-up and might follow its instructions, not realizing they’ve stepped right into the attacker’s trap.

All of this is orchestrated via a web-based dashboard provided by the Matrix Push C2 platform. From the attacker’s perspective, the interface professional, akin to a marketing automation dashboard, but for malicious campaigns.

The dashboard above shows “Total Clients: 3” with a 100% delivery success rate for notifications, indicating that all infected browsers received the last push message. It also infers the concept of cross-platform control: any browser on any OS (Windows, Mac, Linux, Android, etc.) that subscribes to the malicious notifications becomes part of the attacker’s pool of clients. The threat is not limited to a single operating system because it operates through standard browser technology.

One of the most prominent features of Matrix Push C2 is its active clients panel, which gives the attacker detailed information on each victim in real time. As soon as a browser is enlisted (by accepting the push notification subscription), it reports data back to the C2. This real-time intelligence is part of what makes Matrix Push C2 so dangerous. The attacker isn’t firing blind phishing emails hoping someone clicks, they have a live connection to the victim’s browser.

They know exactly which notifications were delivered and can even tell if a user has interacted (for instance, if the user clicked the notification or a button, the platform can log that interaction). The platform can collect client-side details (like the presence of wallet browser extensions, as seen above, or the device type) without needing any heavy malware footprint. Essentially, as soon as the victim permits the notifications, the attacker gains a telemetry feed from that browser session.

The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages. Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services. In the settings, we found templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more, each designed to look like a legitimate notification or security page from those providers.

By leveraging familiar branding and designs, the attackers exploit the trust users place in companies they recognize. For example, a Cloudflare-themed notification might warn “Your connection is being checked for security”(impersonating Cloudflare’s protective page) and prompt a click, or a PayPal-themed message might claim “Unusual login detected, verify your account now.”

Because these appear in the official notification area of the device, users may assume their own system or apps generated the alert. It’s a clever abuse of a legitimate channel, the browser’s notification system, to deliver what is essentially a phishing payload right on the user’s screen.

Matrix Push C2 also includes analytics and link management tools so the attacker can measure how effective their campaign is and adjust tactics on the fly. The platform manages shortcut links, a built-in URL shortening service that attackers can use to create custom links for their campaign.

Instead of sending a long, suspicious-looking URL, the attacker can generate a short, innocuous link (under a path they control) that redirects to the real malicious site. This helps evade filters and lowers victim skepticism.

All clicks on these links are tracked and reported back in the dashboard, giving yet another layer of insight into victim behavior (for instance, if a particular phishing link was accessed and how many times).

Matrix Push C2 shows us a shift in how attackers gain initial access and attempt to exploit users. By using browsers as the entry point and channel for malicious content, it bypasses many traditional security measures. Once a user’s endpoint (computer or mobile device) is under this kind of influence, the attacker can gradually escalate the attack.

They might deliver additional phishing messages to steal credentials, trick the user into installing a more persistent malware, or even leverage browser exploits to get deeper control of the system. Ultimately, the end goal is often to steal data or monetize the access, for example by draining cryptocurrency wallets or exfiltrating personal information.

To counter this threat, BlackFog’s anti data exfiltration (ADX) technology is designed to stop attacks at exactly that stage. Even if an endpoint is tricked by a fake notification and gets compromised, the data exfiltration that follows is what BlackFog prevents.

Our approach focuses on blocking unauthorized outbound traffic, whether it’s a ransomware beacon or a spyware transmission, thereby neutralizing the attack’s objectives. In the case of Matrix Push C2, once the attacker attempts to download malware or send stolen information out, BlackFog would detect and block that illicit data flow in real time.

https://www.blackfog.com/anti-data-exfiltration-demo/