ZadeNor AI
Back to Blog
Cybersecurity

Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks

November 26, 2025
5 min
2,477 views
By ZadeNor AI Team
Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks

Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks

Cross-Platform Phishing Attacks Emerge with Matrix Push C2's Browser Notifications

In a concerning development, researchers have discovered a new wave of fileless, cross-platform phishing attacks leveraging browser notifications. The attacks are attributed to Matrix Push C2, a sophisticated malware framework that utilizes browser notifications to deliver malicious payloads.

How it Works

Matrix Push C2 relies on a web-based interface to interact with the malware, which is designed to be highly modular and adaptable. The framework uses a combination of JavaScript and HTML to create a seamless user experience, making it difficult for victims to detect the malicious activity.

Here's a high-level overview of the attack process:

  1. Initial Infection: The victim receives a phishing email or visits a compromised website, which triggers the download of a malicious JavaScript file.
  2. Browser Notification: The JavaScript file creates a browser notification, which appears as a legitimate system alert. The notification prompts the user to allow the malware to access their system.
  3. Malware Execution: Once the user grants permission, the malware is executed, and it begins to communicate with the Matrix Push C2 server.
  4. Payload Delivery: The server delivers a payload, which can be a variety of malicious files, including executables, scripts, or even other malware.

Technical Details

The Matrix Push C2 framework uses a range of techniques to evade detection, including:

  • Code obfuscation: The malware uses code obfuscation techniques to make it difficult for security software to detect.
  • Domain name generation: The malware generates random domain names to communicate with the server, making it challenging to track.
  • Browser fingerprinting: The malware collects information about the victim's browser and system configuration to create a unique fingerprint.

Implications

The emergence of Matrix Push C2 highlights the growing threat of fileless, cross-platform phishing attacks. These attacks are particularly concerning because they can evade traditional security measures and deliver highly sophisticated payloads.

To mitigate this threat, organizations should:

  • Implement robust security awareness training: Educate employees on the risks of phishing attacks and the importance of verifying the authenticity of system alerts.
  • Use advanced threat detection tools: Invest in security software that can detect and block fileless malware and cross-platform attacks.
  • Monitor browser activity: Regularly monitor browser activity to detect suspicious behavior and prevent malware execution.

Code Analysis

Here's an example of the JavaScript code used to create the browser notification:

// Create a browser notification
const notification = new Notification('System Alert', {
  body: 'Your system is at risk. Please allow the malware to access your system.',
  icon: 'https://example.com/malware-icon.png'
});

// Add event listener to handle user response
notification.addEventListener('click', () => {
  // Grant permission to access system
  chrome.permissions.request({
    permissions: ['activeTab']
  }, (granted) => {
    if (granted) {
      // Execute malware
      chrome.tabs.executeScript({
        code: 'eval("malware_code")'
      });
    }
  });
});

This code creates a browser notification with a malicious payload and adds an event listener to handle the user's response. If the user grants permission, the malware is executed.

Source: https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html

Source: https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min