Find notable cyber news and cases, enriched with sources, timelines, and signals.

MatrixPDF ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

MatrixPDF is being marketed on cybercrime forums and Telegram, widening access to a paid phishing toolkit that can turn ordinary PDFs into lures for credential theft or malware downloads.

Related Happenings

Bluekit alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score25 First: 30.04.2026 21:58 Last: 30.04.2026 21:58 Sources 1

About this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...

Latest development: 25.06.2026 18:00

Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
H score34 First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Europol-led takedown of Tycoon 2FA

Law Enforcement
H score79 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...

Latest development: 17.04.2026 22:05

Following the Europol-led Tycoon 2FA takedown, phishers worldwide moved to rival PhaaS providers such as Mamba 2FA, EvilProxy, and Sneaky 2FA, while device code phishing accelerated and some actors reused Tycoon-era PDFs, source-code quirks, and techniques in EvilTokens-style account takeover campaigns.

HaxorSEO/HxSEO backlink marketplace for SEO poisoning

Threat Actor Meta
H score29 First: 26.01.2026 17:00 Last: 26.01.2026 17:00 Sources 1

About this happening: The **HaxorSEO/HxSEO** operation is monetizing **compromised-domain backlinks** to push **malicious pages** higher in search results, increasing the reach of phishing and malware...

BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft

Malware Activity
H score36 First: 12.12.2025 16:04 Last: 12.12.2025 16:04 Sources 1

About this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...

Timeline

  1. 30.09.2025 21:57 2 articles · 9mo ago

    MatrixPDF is advertised on cybercrime forums and Telegram

    Initial Disclosure

    Varonis researchers identified MatrixPDF, a phishing and malware distribution toolkit, being sold through cybercrime forums and Telegram. The builder lets attackers import a legitimate PDF and add blurred content, fake "Secure Document" prompts, clickable overlays, and JavaScript actions that open external sites for credential theft or malware downloads, and Varonis showed the files could reach Gmail while bypassing phishing filters because the malicious content is fetched only after user interaction.

    Show sources