Hackers are turning everyday web browsers into remote-control tools using a new command-and-control (C2) platform called Matrix Push C2, according to BlackFog research.
The browser‑native, fileless framework abuses legitimate web push notification features to deliver malware, phishing pages, and data theft campaigns across Windows, macOS, Linux, and mobile platforms.
Instead of dropping traditional malware binaries at the start, Matrix Push C2 focuses on tricking users into enabling browser notifications on malicious or compromised sites.
Once a victim clicks “Allow,” the attacker gains a persistent communication channel to that browser session, effectively enrolling it as a C2 “client.”
From there, threat actors can push fake system alerts, redirect users to phishing sites, and monitor victims in real time via a web‑based dashboard that resembles a marketing automation panel.
How Matrix Push C2 Turns Browsers Into Attack Tools
Matrix Push C2 abuses the web push notification API as its primary C2 channel. The platform’s notification panel lets attackers craft messages that closely mimic operating system warnings or trusted software prompts, complete with realistic icons and titles.
Examples include fake Chrome update alerts such as “Update required! Please update Google Chrome to avoid data loss!” that redirect users to trojanized installers or malware droppers.
How the Infection Mechanism Works
The attack begins with social engineering. Attackers trick users into allowing browser notifications through malicious or compromised websites.
Once a user subscribes to these notifications, the attacker gains a direct communication line to the victim’s desktop or mobile device.
For example, a fake notification might display “Update required! Please update Google Chrome to avoid data loss!” and direct users to download trojanized software.
The entire attack happens through the browser’s notification system without requiring traditional malware installation.
Because the interaction begins and persists inside the browser notification system, the initial phase is effectively fileless. No obvious executable runs on the device until the user manually downloads or launches a payload from the attacker’s site.
The C2 dashboard tracks “Total Clients,” delivery rates, and user interactions, confirming when notifications are delivered and clicked. This gives attackers reliable telemetry and the ability to tune campaigns based on real‑time feedback.
Matrix Push C2’s active clients panel collects device and browser details, including whether a cryptocurrency wallet extension is present. This allows targeted attacks against users holding digital assets, such as tailored phishing prompts to drain wallets or steal seed phrases.
Phishing Templates, Analytics, and Data Exfiltration Risks
To maximize social engineering impact, Matrix Push C2 ships with pre‑built templates that impersonate brands such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok.
Attackers can quickly launch Cloudflare‑style “security checks” or PayPal “unusual login” alerts that appear in the device’s official notification area, making them seem system‑generated rather than website‑originated.
The platform also integrates URL shortening and link management, helping attackers hide suspicious domains behind short, benign‑looking links under their own paths. Every click is logged in an analytics dashboard, revealing which lures work best and how many times each malicious link is accessed.
Once initial access is established, attackers can escalate by pushing additional credential‑harvesting pages, delivering secondary malware, or exploiting browser vulnerabilities to gain deeper control. The ultimate goals include credential theft, exfiltration of personal data.
BlackFog positions its Anti Data Exfiltration (ADX) technology as a defense against this new class of browser‑driven C2.
Even when users fall for fake notifications, ADX aims to block unauthorized outbound connections and data flows, stopping ransomware beacons, spyware transmissions, and stolen information from leaving the endpoint in real time.
(Courtesy: Hackers online)
