Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MatrixPDF ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

MatrixPDF is being marketed on cybercrime forums and Telegram, widening access to a paid phishing toolkit that can turn ordinary PDFs into lures for credential theft or malware downloads.

Related Happenings

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

Europol-led takedown of Tycoon 2FA

Law Enforcement
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...

Latest development: 17.04.2026 22:05

Following the Europol-led Tycoon 2FA takedown, phishers worldwide moved to rival PhaaS providers such as Mamba 2FA, EvilProxy, and Sneaky 2FA, while device code phishing accelerated and some actors reused Tycoon-era PDFs, source-code quirks, and techniques in EvilTokens-style account takeover campaigns.

Open Happening

HaxorSEO/HxSEO backlink marketplace for SEO poisoning

Threat Actor Meta
First: 26.01.2026 17:00 Last: 26.01.2026 17:00 Sources 1

About this happening: The **HaxorSEO/HxSEO** operation is monetizing **compromised-domain backlinks** to push **malicious pages** higher in search results, increasing the reach of phishing and malware...

Open Happening

BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft

Malware Activity
First: 12.12.2025 16:04 Last: 12.12.2025 16:04 Sources 1

About this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...

Open Happening

Atroposia RAT modular toolkit promoted on underground forums

Malware Activity
First: 29.10.2025 13:15 Last: 29.10.2025 13:15 Sources 1

About this happening: A new **Atroposia RAT** activity has surfaced as a **modular criminal toolkit** promoted on underground forums, increasing the risk of **credential theft** and **unauthorized remo...

Open Happening

Timeline

  1. 30.09.2025 21:57 2 articles · 7mo ago

    MatrixPDF is advertised on cybercrime forums and Telegram

    Initial Disclosure

    Varonis researchers identified MatrixPDF, a phishing and malware distribution toolkit, being sold through cybercrime forums and Telegram. The builder lets attackers import a legitimate PDF and add blurred content, fake "Secure Document" prompts, clickable overlays, and JavaScript actions that open external sites for credential theft or malware downloads, and Varonis showed the files could reach Gmail while bypassing phishing filters because the malicious content is fetched only after user interaction.

    Show sources
    Open in new tab