MatrixPDF ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
MatrixPDF is being marketed on cybercrime forums and Telegram, widening access to a paid phishing toolkit that can turn ordinary PDFs into lures for credential theft or malware downloads.
Related Happenings
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score25
First: 30.04.2026 21:58
Last: 30.04.2026 21:58
Sources 1
About this happening:
Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Latest development: 25.06.2026 18:00
Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
H score34
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Europol-led takedown of Tycoon 2FA
Law Enforcement
H score79
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...
Europol-led takedown of Tycoon 2FA
Law EnforcementAbout this happening: **Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...
Latest development: 17.04.2026 22:05
Following the Europol-led Tycoon 2FA takedown, phishers worldwide moved to rival PhaaS providers such as Mamba 2FA, EvilProxy, and Sneaky 2FA, while device code phishing accelerated and some actors reused Tycoon-era PDFs, source-code quirks, and techniques in EvilTokens-style account takeover campaigns.
HaxorSEO/HxSEO backlink marketplace for SEO poisoning
Threat Actor Meta
H score29
First: 26.01.2026 17:00
Last: 26.01.2026 17:00
Sources 1
About this happening:
The **HaxorSEO/HxSEO** operation is monetizing **compromised-domain backlinks** to push **malicious pages** higher in search results, increasing the reach of phishing and malware...
HaxorSEO/HxSEO backlink marketplace for SEO poisoning
Threat Actor MetaAbout this happening: The **HaxorSEO/HxSEO** operation is monetizing **compromised-domain backlinks** to push **malicious pages** higher in search results, increasing the reach of phishing and malware...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware Activity
H score36
First: 12.12.2025 16:04
Last: 12.12.2025 16:04
Sources 1
About this happening:
**BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware ActivityAbout this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
Timeline
-
30.09.2025 21:57 2 articles · 9mo ago
MatrixPDF is advertised on cybercrime forums and Telegram
Initial DisclosureVaronis researchers identified MatrixPDF, a phishing and malware distribution toolkit, being sold through cybercrime forums and Telegram. The builder lets attackers import a legitimate PDF and add blurred content, fake "Secure Document" prompts, clickable overlays, and JavaScript actions that open external sites for credential theft or malware downloads, and Varonis showed the files could reach Gmail while bypassing phishing filters because the malicious content is fetched only after user interaction.
Show sources
- New MatrixPDF toolkit turns PDFs into phishing and malware lures — www.bleepingcomputer.com — 30.09.2025 21:57
- New MatrixPDF toolkit turns PDFs into phishing and malware lures — www.bleepingcomputer.com — 30.09.2025 21:57