CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Matrix Push C2 Malware Delivery via Browser Push Notifications

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Cybercriminals are exploiting browser push notifications to deliver malware through a newly discovered command-and-control (C2) platform called Matrix Push C2. This platform tricks users into allowing notifications, which are then used to redirect them to malicious sites, monitor infected clients in real time, and scan for cryptocurrency wallets. The attack is fileless, operating through the browser's notification system without requiring traditional malware files on the system. The campaign is orchestrated via a web-based dashboard that provides real-time intelligence on victims, including detailed information on each infected client. The platform includes analytics and link management tools to measure campaign effectiveness and adjust tactics. Social engineering templates for brands like MetaMask, Netflix, and PayPal are used to maximize the credibility of fake messages. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, sold under a tiered subscription model with payments accepted in cryptocurrency. The platform was first observed in October 2025 and has been active since then.

Timeline

  2. 21.11.2025 17:45 2 articles · 1d ago

    Matrix Push C2 Platform Exploits Browser Push Notifications for Malware Delivery

    Cybercriminals are using a newly discovered command-and-control (C2) platform called Matrix Push C2 to deliver malware via browser push notifications. The platform tricks users into allowing notifications, which are then used to redirect them to malicious sites, monitor infected clients in real time, and scan for cryptocurrency wallets. The attack is fileless, operating through the browser's notification system without traditional malware files. The campaign dashboard provides real-time intelligence on victims, and the platform includes tools for measuring campaign effectiveness and adjusting tactics. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, sold under a tiered subscription model with payments accepted in cryptocurrency. The platform was first observed in October 2025 and has been active since then.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

Modern web browsers as primary attack surface in enterprise infrastructure

Modern web browsers have become critical components of enterprise infrastructure, but also a primary attack surface for identity-based intrusions, SaaS abuse, and session hijacking. On September 29th at 12:00 PM ET, a webinar will be held to discuss the evolving threat landscape targeting corporate browsers and how attackers compromise accounts, steal data, and bypass traditional defenses. The webinar will focus on real-time detection and response platforms to mitigate these risks. The webinar, titled "Your Browser Is the Breach: Securing the Modern Web Edge", will be co-hosted by BleepingComputer and SC Media, with experts from Push Security. The event aims to educate security professionals on the tactics used by attackers, such as malicious extensions, session token theft, and OAuth abuse, and provide strategies to detect and defend against these threats.

Open in new tab

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The ClickFix malware campaign has evolved to include multi-OS support and video tutorials that guide victims through the self-infection process. The campaign, which uses fake Cloudflare CAPTCHA pages and malicious PowerShell scripts, has been observed deploying various payloads, including information stealers and backdoors. The FileFix attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Recently, threat actors have been abusing the decades-old Finger protocol to retrieve and execute remote commands on Windows devices. The Finger protocol is used to deliver commands that create a random-named path, download a zip archive disguised as a PDF, and extract a Python malware package. The Python program is executed using pythonw.exe __init__.py, and a callback is made to the attacker's server to confirm execution. A related batch file indicates that the Python package is an infostealer. Another campaign uses the Finger protocol to retrieve and run commands that look for malware research tools and exit if found. If no malware analysis tools are found, the commands download a zip archive disguised as PDF files and extract the NetSupport Manager RAT package. The commands configure a scheduled task to launch the remote access malware when the user logs in. The Finger protocol abuse appears to be carried out by a single threat actor conducting ClickFix attacks. A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. The campaign also involves phishing attacks using various malware families and phishing kits named Cephas and Tycoon 2FA. Tycoon 2FA is a phishing kit that bypasses multi-factor authentication (MFA) and authentication apps by intercepting usernames, passwords, session cookies, and MFA flows in real-time. It has been used in over 64,000 attacks this year, primarily targeting Microsoft 365 and Gmail. Tycoon 2FA includes anti-detection layers and can lead to total session takeover, allowing attackers to move laterally into various enterprise systems. Legacy MFA methods are vulnerable to Tycoon 2FA, and phishing-proof MFA solutions like Token Ring and Token BioStick are recommended to prevent such attacks.

Open in new tab