Matrix Push C2 is a newly documented command-and-control platform that abuses web browser push notifications to deliver phishing pages and malware, turning a legitimate feature into a persistent attack channel. Discovered by BlackFrog, the platform tricks users into granting notification permissions on malicious or compromised sites, then leverages those subscriptions to push fake system alerts and security messages directly to desktops and mobile devices. When victims click the notifications, they are redirected through attacker-owned infrastructure to phishing sites or malware downloads, aligning with MITRE ATT&CK T1566 (Phishing), T1204 (User Execution) and T1102 (Web Service as C2). Once a user subscribes, Matrix Push C2 establishes what is essentially a live marketing-style campaign engine for threat actors. Its web-based dashboard lists active clients in real time, exposes operating system and browser details, and allows operators to send tailored notification templates impersonating brands such as MetaMask, Netflix, Cloudflare, PayPal and TikTok. The platform also includes analytics and link management to track click-through rates, rotate destination URLs and shorten links under attacker-controlled paths to evade filters and reduce suspicion. Because the C2 channel runs entirely through the browser’s notification API, initial interaction can be described as “fileless” from the endpoint’s perspective: no binary is required to maintain communication and deliver the next-stage URL. The technique is OS-agnostic, impacting Windows, macOS, Linux and mobile platforms. Some Matrix Push C2 campaigns reportedly scan for cryptocurrency wallets and leverage notifications that mimic wallet security prompts, raising risks of credential theft, seed-phrase phishing and unauthorized transactions. Organizations need to treat browser notification abuse as an emerging delivery vector that bypasses traditional email and web proxies. Mitigation includes tightening browser policies through group policy objects (GPOs) or MDM to restrict which sites can present notification prompts, clearing existing subscriptions on corporate endpoints, and educating users not to accept notification requests from unknown sites. Network defenders should also monitor outbound traffic to suspicious push-notification domains and consider egress filtering and DNS controls to block known Matrix Push C2 infrastructure.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Matrix Push C2 enables persistent phishing and malware delivery directly to user desktops and mobile devices, bypassing email and some web-filtering layers. This can increase success rates for credential theft, wallet compromise and drive-by malware, raising fraud and account-takeover risk for both consumers and enterprise users accessing corporate resources from personal browsers. Technical Context: The platform weaponizes browser push notifications as both a C2 and delivery channel, mapping to MITRE T1102, T1566 and T1204. Attackers gain long-lived access by social engineering users into accepting notification prompts, then deliver brand-mimicking alerts that redirect to phishing or malware sites. Its real-time dashboard and analytics allow rapid iteration of lures, making behavioral and policy-based controls essential.
⚡Strategic Intelligence Guidance
- Harden enterprise browser configurations via GPO or MDM to restrict or disable push notifications from unapproved domains, especially on shared or high-risk endpoints.
- Conduct user awareness campaigns explaining the risks of accepting notification prompts from unfamiliar sites and demonstrating how to revoke existing subscriptions in popular browsers.
- Implement DNS and web-filtering controls to block known Matrix Push C2 domains and shortlink redirectors used in active campaigns.
- Extend phishing detection and response programs beyond email to incorporate browser-based lures, ensuring SOC playbooks account for notification-driven attack chains.
Threats
Matrix Push C2Browser notification abusePhishing campaigns
Targets
Web browser usersCryptocurrency wallet usersEnterprise endpoints