Hackers have a new weapon in their arsenal: a command-and-control platform called Matrix Push C2 that turns innocuous browser notifications into a fileless phishing powerhouse. Unlike traditional malware that leaves footprints on disk, this tool exploits the Web Push API to deliver malicious payloads across Windows, macOS, Android, iOS, and Linux—evading antivirus detection by operating entirely in memory. Security researchers at BlackFog first exposed the threat in late November 2025, revealing how cybercriminals rent this service on underground forums for as little as $200 a month.

The mechanics are deceptively simple yet devastatingly effective. Victims are lured to a compromised website via malvertising or phishing links. Once there, a service worker registers in the browser, granting attackers permission to send push notifications without further interaction. These alerts mimic legitimate warnings from brands like Netflix or PayPal, tricking users into clicking through to credential-harvesting pages or malware droppers. BlackFog detailed how the C2 panel allows operators to schedule campaigns, track clicks, and even execute JavaScript commands remotely.

Notification Abuse Redefined

What sets Matrix Push C2 apart is its cross-platform persistence. Browser notifications persist even after the site is closed, re-engaging victims repeatedly. BlackFog’s analysis showed notifications displaying titles like ‘Your Netflix account has been suspended’ with urgent calls to action. Clicking leads to phishing kits that steal login credentials or deploy secondary payloads, all without writing files to disk. The Hacker News reported that this fileless approach bypasses endpoint detection and response tools, which struggle with in-memory execution.

Underground adoption is accelerating. Posts on X from cybersecurity accounts like @TweetThreatNews highlight Matrix Push C2’s rise, with threat actors boasting of high click-through rates. Infosecurity Magazine noted researchers at BlackFrog uncovering the C2’s abuse of W3C standards, originally designed for legitimate engagement like news alerts. The service’s dashboard, leaked in forums, features botnet management, payload hosting, and analytics rivaling legitimate marketing tools.

Underground Marketplace Mechanics

Priced accessibly, Matrix Push C2 democratizes advanced attacks. Operators purchase subscriptions granting 10,000 notifications monthly, scalable for larger campaigns. BlackFog reverse-engineered the panel, finding Telegram integration for real-time alerts and geofencing to target regions. Dark Reading emphasized how attackers exploit user trust in notifications, with one campaign impersonating PayPal security teams to phish two-factor codes.

Technical deep dive reveals service workers as the linchpin. Upon site visit, JavaScript registers a push subscription with a public VAPID key tied to the attacker’s server. Notifications arrive via the browser’s native system, appearing legitimate. BlackFog observed payloads including infostealers and clippers that swap crypto wallet addresses. No disk artifacts mean traditional forensics fail; instead, SecOps must monitor browser APIs and anomalous network calls to push services.

Technical Persistence and Evasion

Victim interaction is key: browsers prompt for notification permission, often overlooked on mobile. Once granted, revocation requires manual browser settings dives. GBHackers reported campaigns hitting financial sectors, with notifications urging ‘account verification.’ Cross-browser support—Chrome, Firefox, Safari—amplifies reach, while iOS Web Push beta extends to Apple devices.

Recent X chatter underscores urgency. Accounts like @Hawley and @methodandmetric shared The Hacker News links, warning of Netflix-targeted scams. Forbes detailed a variant hitting PayPal users, quoting experts on the ‘creepy’ realism of alerts. BlackFog tracked over 50 active campaigns by November 24, 2025, with infection chains leading to ransomware loaders.

Campaigns Target Trusted Brands

Defenses demand layered approach. Disable non-essential notifications via browser flags like Chrome’s ‘edge://settings/content/notifications.’ Enterprise tools should enforce policies blocking third-party service workers. Monitor for high-volume pushes from unknown origins using EDR rules on Fetch API calls. SC Media advised auditing subscribed sites and implementing user training on permission prompts.

Broader implications challenge platform makers. Google’s Push API, meant for engagement, now fuels crimeware. BlackFog called for VAPID key blacklisting and rate-limiting. As Matrix Push C2 evolves—adding obfuscated workers and anti-analysis—threat hunters pivot to behavioral signals: unexpected notifications from finance domains.

Fortifying the Browser Perimeter

Industry response accelerates. Velociraptor, another tool misused post-Windows flaws, pairs with Matrix in some chains, per The Hacker News. BlackFog’s IOCs include C2 domains like matrixpush[.]top, urging immediate blocks. For insiders, Sigma rules detecting service worker registrations offer proactive hunting.

This isn’t a fleeting trend. Matrix Push C2’s MaaS model lowers barriers, promising proliferation. SecOps must adapt, treating notifications as the new phishing frontier.