Matrix Push C2 — Browser Notifications Abused for Fileless, Cross-Platform Phishing
A newly emerged command-and-control platform, Matrix Push C2, is being actively used by threat actors to deliver fileless, browser-native phishing attacks through push notifications. This technique requires no local malware installation, making it stealthy and highly effective across all major operating systems.
Impact & Techniques
1. Fileless & Cross-Platform Attack Vector
The entire attack chain occurs in the browser. Any device with web push enabled—Windows, macOS, Linux, Android, iOS—can be compromised.
2. Impersonation of System-Level Notifications
Victims are socially engineered to allow notifications. Attackers then push fake alerts mimicking:
- Browser updates
- Suspicious login warnings
- Crypto wallet alerts
- Cloudflare / Netflix / PayPal / TikTok messages
One click redirects the user to phishing sites.
3. Mature C2-as-a-Service Platform (MaaS)
Matrix Push C2 offers:
- Real-time victim tracking
- Customizable phishing templates
- Built-in URL shortener
- Browser extension enumeration (including crypto wallets)
- Campaign analytics and reporting
This dramatically lowers the barrier to launching scalable phishing campaigns.
4. Possible Escalation
After establishing notification control, attackers may:
- Deliver more phishing prompts
- Trick users into installing persistent malware
- Exploit browser vulnerabilities for deeper access
- Steal credentials or wallet assets
- Exfiltrate personal and device information
This represents a new initial access trend, bypassing many traditional email-based defenses.
Recommended Immediate Actions
1. Restrict Browser Notification Permissions
Enforce via:
- Chrome / Edge / Firefox admin policies
- Intune / MDM / GPO
Only allow trusted domains; block all unknown sites.
2. Audit and Clean Existing Notification Subscriptions
Instruct users to remove unknown sites from:
Settings → Privacy → Site Settings → Notifications
3. Strengthen Social Engineering Training
Employees must understand:
- Never click “Allow notifications” on unfamiliar sites
- System updates never appear via random web notifications
- “Verify / Update” pop-ups should be treated as suspicious
4. Monitor Browser-Related Activity
Look for:
- Unusual web push traffic
- Sudden extension changes
- Shortened-link access patterns
- Visits to unfamiliar domains
5. Update All Browsers to Latest Versions
Recent releases include enhanced protections against:
- Notification abuse
- Permission misuse
- PWA / Push API exploitation
Ensure Chrome / Edge / Firefox / Safari are fully updated.