Hackers Deploy New Matrix Push C2 to Launch Malware and Phishing Attacks Through Web Browsers

Hackers are turning everyday web browsers into remote-control tools using a new command-and-control (C2) platform called Matrix Push C2, according to BlackFog research.

The browser‑native, fileless framework abuses legitimate web push notification features to deliver malware, phishing pages, and data theft campaigns across Windows, macOS, Linux, and mobile platforms.

Instead of dropping traditional malware binaries at the start, Matrix Push C2 focuses on tricking users into enabling browser notifications on malicious or compromised sites.

Once a victim clicks “Allow,” the attacker gains a persistent communication channel to that browser session, effectively enrolling it as a C2 “client.”

From there, threat actors can push fake system alerts, redirect users to phishing sites, and monitor victims in real time via a web‑based dashboard that resembles a marketing automation panel.

How Matrix Push C2 Turns Browsers Into Attack Tools

Matrix Push C2 abuses the web push notification API as its primary C2 channel. The platform’s notification panel lets attackers craft messages that closely mimic operating system warnings or trusted software prompts, complete with realistic icons and titles.

Examples include fake Chrome update alerts such as “Update required! Please update Google Chrome to avoid data loss!” that redirect users to trojanized installers or malware droppers.

Because the interaction begins and persists inside the browser notification system, the initial phase is effectively fileless. No obvious executable runs on the device until the user manually downloads or launches a payload from the attacker’s site.

The C2 dashboard tracks “Total Clients,” delivery rates, and user interactions, confirming when notifications are delivered and clicked. This gives attackers reliable telemetry and the ability to tune campaigns based on real‑time feedback.

Matrix Push C2’s active clients panel collects device and browser details, including whether a cryptocurrency wallet extension is present. This allows targeted attacks against users holding digital assets, such as tailored phishing prompts to drain wallets or steal seed phrases.

Phishing Templates, Analytics, and Data Exfiltration Risks

To maximize social engineering impact, Matrix Push C2 ships with pre‑built templates that impersonate brands such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok.

Attackers can quickly launch Cloudflare‑style “security checks” or PayPal “unusual login” alerts that appear in the device’s official notification area, making them seem system‑generated rather than website‑originated.

The platform also integrates URL shortening and link management, helping attackers hide suspicious domains behind short, benign‑looking links under their own paths. Every click is logged in an analytics dashboard, revealing which lures work best and how many times each malicious link is accessed.

Once initial access is established, attackers can escalate by pushing additional credential‑harvesting pages, delivering secondary malware, or exploiting browser vulnerabilities to gain deeper control. The ultimate goals include credential theft, exfiltration of personal data, and theft of cryptocurrency.

BlackFog positions its Anti Data Exfiltration (ADX) technology as a defense against this new class of browser‑driven C2.

Even when users fall for fake notifications, ADX aims to block unauthorized outbound connections and data flows, stopping ransomware beacons, spyware transmissions, and stolen information from leaving the endpoint in real time.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hackers Deploy New Matrix Push C2 to Launch Malware and Phishing Attacks Through Web Browsers appeared first on Cyber Security News.