‘MatrixPush’ C2 Tool Hijacks Browser Notifications TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsThreat Intelligence‘Matrix Push’ C2 Tool Hijacks Browser Notifications‘Matrix Push’ C2 Tool Hijacks Browser NotificationsbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadThreat IntelligenceWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceApplication SecurityCyber RiskEndpoint SecurityNews‘Matrix Push’ C2 Tool Hijacks Browser NotificationsHave you ever given two seconds of thought to a browser notification? No? That's what hackers bent on phishing are counting on.Nate Nelson, Contributing WriterNovember 20, 20254 Min ReadSource: BlackFogCybercriminals have a new, user-friendly tool for turning your browser alerts into a vector for phishing attacks."Matrix Push" is slick, it's pretty, and it's about as easy to use as any commercial software you can think of. Unfortunately, it's a command-and-control (C2) framework for infecting people with malware through their browsers. A new report from BlackFog describes how, from an interface colored like a retro terminal, hackers can design notifications that get pushed to victims from their legitimate browsers, but in fact point to malicious websites.Attackers can freely send browser users unusual login warnings that look like they're coming from PayPal, security alerts purporting to come from MetaMask, or fake error messages from Cloudflare. Matrix Push comes prebuilt with notification and landing page templates mimicking all of those brands, plus TikTok, Netflix, and more.And from the Matrix Push dashboard, attackers can track a variety of useful data about their victims, like the total number of them reached, where they're all located, their IP addresses, their browser and operating system (OS) types and versions, any cryptocurrency wallets they've used, etc. And since it is, ultimately, a C2 framework, the program also offers a variety of real-time information, like whether a victim is online or not, how recently they viewed a fake notification, etc. This real-time data empowers the attacker to hit people at the times when they're most likely to engage with fake alerts.Related:WhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilWeaponizing Browser Notifications for PhishingThe most difficult part of using Matrix Push, for an attacker, is simply getting a user to enable it in the first place.Through social engineering, or whatever other means may be necessary, the attacker has to lure a user to a secretly malicious or compromised website under their control. Then, like any legitimate one might, the malicious site uses the browser's notifications application programming interface (API) to request permission to send the victim push notifications.If the user grants this permission, the malicious site registers a service worker, creates a Push API subscription, and sends that data back to the Matrix Push command-and-control (C2) tool. And because these APIs and processes are standard across all major browsers, Matrix Push works equally well no matter what browser or operating system (OS) the victim connects from.With all of this in place, the attacker can now feed their victim phishing messages through the browser's native notification functionality, without raising any kind of alarms.Related:Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs"Browsers allow this behavior because from their perspective the user has explicitly granted notification permission, and the APIs used are completely legitimate," explains Darren Williams, founder and CEO of BlackFog. "The notifications are delivered using normal encrypted push traffic through the browser vendor’s push service, so no malicious binaries or exploits are involved. Security tools generally do not flag this activity because it looks identical to everyday website notifications, and the only malicious component is the content of the messages or the destination links, which can rotate too quickly for traditional detection to keep up."Flexible, Subscription-Based Phishing for EveryoneMatrix Push only seems to have popped up on Telegram channels and Dark Web forums early last month. It's currently being sold on the cybercrime underground using a tiered subscription pricing model: $150 in cryptocurrencies per month, or $405 for three months, $765 for six, or $1,500 for a full year.Its developers market it in English to financially-motivated threat actors, which Williams says "implies a broad, international cybercriminal audience rather than a specific region or community. Because it is flexible and platform-agnostic, it is likely to be favored by actors targeting consumers for credential theft, payment fraud, cryptocurrency scams, and other large-scale social-engineering campaigns, but definitive victim patterns have not emerged."Related:Google Looks to Dim 'Lighthouse' Phishing-as-a-Service OpWilliams thinks that stopping a tool so crafty as Matrix Push will require coordinated effort from browser developers, security vendors, network administrators, and users."Browser developers can implement stronger abuse protections, such as reputation systems, auto-revoking permission for noisy or suspicious sites, and clearer warnings for high-risk notification requests," he says, while "security products can help by detecting and blocking known Matrix Push infrastructure and by giving enterprises the option to disable or restrict Web push altogether. Users and administrators also play a key role by avoiding unnecessary notification approvals and regularly reviewing and removing permissions from unknown or untrusted sites."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

MatrixPush: A User-Friendly C2 Tool for Sophisticated Phishing Campaigns

BlackFog has unveiled “MatrixPush,” a deceptively simple command-and-control (C2) framework designed to facilitate highly targeted phishing attacks. The tool’s ease of use, coupled with its ability to leverage standard browser notification APIs, makes it a potent weapon in the hands of cybercriminals. Designed for financially motivated threat actors, MatrixPush allows attackers to craft highly convincing phishing messages that appear to originate from legitimate brands like PayPal, MetaMask, or Cloudflare. The framework, currently being sold on dark web channels for approximately $150 per month, includes pre-built notification and landing page templates, expanding its reach and appeal.

The tool’s real power lies in its real-time data tracking capabilities. MatrixPush monitors key victim behaviors, such as notification engagement, location, browser and operating system details, and even cryptocurrency wallet usage. This granular data enables attackers to precisely time and tailor their phishing messages for maximum effectiveness. The framework’s platform-agnostic nature ensures compatibility across various browsers and operating systems, further broadening its potential impact.

The rise of MatrixPush highlights the evolving sophistication of cybercriminal tactics. By exploiting the trusted functionality of browser notifications, attackers are bypassing traditional security measures. Addressing this threat requires a multi-faceted approach, involving enhanced browser security features, robust detection tools, and increased user awareness. BlackFog’s founder, Darren Williams, emphasizes the need for coordinated efforts from browser developers, security vendors, and network administrators to mitigate the risks posed by this user-friendly C2 framework. The tool’s popularity suggests a broad international cybercriminal audience, necessitating vigilance across various regions.