Bad actors are now deploying a new command-and-control platform, Matrix Push C2, for sophisticated phishing attacks. This framework uses web browser notifications to deliver malicious links across various operating systems, making it a widespread threat.
The method is clever: victims are tricked into allowing browser notifications, often through social engineering on compromised websites. Once allowed, the C2 platform sends fake alerts mimicking operating system or browser messages.
These deceptive notifications often urge users to “Verify” accounts or “Update” software, leading them to bogus sites. The entire process unfolds within the browser, a fileless approach that bypasses many traditional security measures.
A key aspect of Matrix Push C2 is its cross-platform capability. Any browser application on any device that subscribes to these malicious notifications effectively joins a pool of clients, providing attackers a persistent communication channel.
Matrix Push C2 is offered as a “Malware-as-Service” (MaaS), available through crimeware channels like Telegram and cybercrime forums. It operates on a tiered subscription model, ranging from $150 for one month to $1,500 for a full year.
The service provides a web-based dashboard for threat actors. This allows them to send notifications, monitor victims in real-time, track interactions, and even identify installed browser extensions, including cryptocurrency wallets.
Attackers leverage configurable templates within Matrix Push C2 to enhance the credibility of their fake messages. This enables them to impersonate well-known brands such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok.
BlackFog researchers explain that this signals a shift in how attackers gain initial access, with the potential for escalating attacks. Once an endpoint is compromised, attackers can steal credentials, install persistent malware, or exploit browser vulnerabilities for deeper system control. You can read more about their findings here: BlackFog Report on Matrix Push C2.
The ultimate goal for these attackers often includes data theft or monetizing access, such as draining cryptocurrency wallets or exfiltrating personal information. This underscores the need for vigilance against deceptive browser notifications.
In related news, Huntress reported an increase in attacks using the legitimate Velociraptor digital forensics tool. This highlights a broader trend where threat actors utilize both custom C2 frameworks and readily available cybersecurity tools for malicious purposes. More details can be found via the following link: Huntress Blog on Velociraptor Misuse.
Phishing attacks continue to evolve, with new platforms like Matrix Push C2 showing how threat actors adapt. Effective cybersecurity tools are crucial to defend against these persistent threats, including malware and ransomware. More on cybersecurity tools.
The sophisticated nature of Matrix Push C2 mirrors tactics employed by state-sponsored groups. North Korean actors Kimsuky and Lazarus have combined forces in coordinated attacks, using advanced C2 platforms and zero-day exploits to steal intelligence and cryptocurrencies. Read about their joint operations.
Matrix Push C2’s fileless approach, leveraging browser notifications, highlights a trend in evasion techniques. Similar sophisticated loaders are seen with Remote Access Trojans like PureHVNC, which uses modular components and DLL hollowing to bypass detection. Learn more about PureHVNC.
The “Malware-as-a-Service” model for Matrix Push C2 makes advanced tools accessible to more threat actors. This accessibility, combined with social engineering, continues to be a driving force behind many malicious campaigns. Further context on campaign drivers.
Targeting cryptocurrency wallets is a recurring theme in these advanced attacks. The InvisibleFerret backdoor, used by the Lazarus group, specifically scans system memory for private keys and transaction data from blockchain wallets. Details on InvisibleFerret’s capabilities.