Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks

Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks

Bad actors are deploying Matrix Push C2, a fileless command-and-control (C2) framework, to distribute phishing links via browser notifications. The tool leverages trusted branding and fake alerts to trick users into clicking malicious links, bypassing traditional security measures.

Why This Matters

Browser notifications, designed for legitimate purposes like real-time updates, are being weaponized to bypass endpoint defenses. Unlike traditional malware requiring file downloads, Matrix Push C2 operates entirely in memory, evading detection by antivirus software. The attack’s cross-platform nature—working on any browser that supports web push notifications—amplifies its reach, with threat actors selling access via Telegram for as little as $150/month. The cost of containment and reputational damage from such attacks could exceed $1 million per incident, according to industry estimates.

Key Insights

• “Matrix Push C2 sold via Telegram with $150/month pricing”: Blackfog report, 2025
• “Velociraptor misuse linked to CVE-2025-59287 (CVSS 9.8)”: Huntress, 2025
• “Browser notifications used for fileless attacks, no system infection needed”: The Hacker News, 2025

Practical Applications

• Use Case: Phishing campaigns impersonating MetaMask, Netflix, and PayPal via fake browser alerts
• Pitfall: Overreliance on browser permissions without multi-factor authentication, leading to credential theft

References:

• https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html